MANUAL AC500-S Safety user manual V1.3.0 Original instructions
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
MANUAL
AC500-SSafety user manual V1.3.0Original instructions
— Table of contents
1 Introduction..................................................................................................................................................... 61.1 Purpose..................................................................................................................................................... 61.2 Document history...................................................................................................................................... 61.3 Validity....................................................................................................................................................... 81.4 Important user information........................................................................................................................ 91.5 Definitions, expressions, abbreviations..................................................................................................... 91.6 Functional safety certification.................................................................................................................. 121.7 References / related documents............................................................................................................. 121.8 Applicable standards............................................................................................................................... 13
2 Overview of AC500-S safety PLC................................................................................................................. 152.1 Overview................................................................................................................................................. 15
2.1.1 System..................................................................................................................................... 152.1.2 Safety components.................................................................................................................. 16
2.2 Intended use............................................................................................................................................ 182.3 Safety loop.............................................................................................................................................. 192.4 Safety values........................................................................................................................................... 192.5 Qualified personnel................................................................................................................................. 202.6 Lifecycle.................................................................................................................................................. 202.7 Installation of safety modules.................................................................................................................. 202.8 Exchange of modules.............................................................................................................................. 212.9 AC500-S restart behavior........................................................................................................................ 212.10 Replacing AC500-S safety PLC components........................................................................................ 212.11 Environmentally friendly disposal.......................................................................................................... 212.12 Safe communication.............................................................................................................................. 222.13 Safety function and fault reaction.......................................................................................................... 24
2.13.1 Safety CPU (SM560-S / SM560-S-FD-1 / SM560-S-FD-4).................................................... 242.13.2 Safety module with safety input channels (DI581-S, DX581-S and AI581-S)........................ 252.13.3 Safety module with safety output channels (DX581-S).......................................................... 25
2.14 Safety function test................................................................................................................................ 252.15 Troubleshooting..................................................................................................................................... 252.16 FAQ - AC500-S safety PLC................................................................................................................... 30
3 AC500-S safety modules.............................................................................................................................. 343.1 Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4..................................................................... 34
3.1.1 Purpose.................................................................................................................................... 343.1.2 Functionality............................................................................................................................. 343.1.3 Mounting, dimensions and electrical connection..................................................................... 423.1.4 Diagnosis and LED status display............................................................................................ 433.1.5 Safety CPU module states....................................................................................................... 463.1.6 Safety and non-safety CPU interaction.................................................................................... 493.1.7 Parameterization...................................................................................................................... 503.1.8 Technical data.......................................................................................................................... 513.1.9 Ordering data........................................................................................................................... 53
3.2 Generic safety I/O module behavior........................................................................................................ 543.2.1 Overview.................................................................................................................................. 543.2.2 Safety I/O module states.......................................................................................................... 543.2.3 Undervoltage / overvoltage...................................................................................................... 633.2.4 Diagnosis................................................................................................................................. 64
3.3 DI581-S safety digital input module......................................................................................................... 65
Table of contents
2022/02/043ADR025091M0210, 14, en_US2
3.3.1 Purpose.................................................................................................................................... 653.3.2 Functionality............................................................................................................................. 663.3.3 Mounting, dimensions and electrical connection..................................................................... 693.3.4 Internal data exchange............................................................................................................. 733.3.5 I/O configuration....................................................................................................................... 733.3.6 Parameterization...................................................................................................................... 733.3.7 Circuit examples DI581-S........................................................................................................ 733.3.8 LED status display................................................................................................................... 853.3.9 Technical data.......................................................................................................................... 863.3.10 Ordering data......................................................................................................................... 89
3.4 DX581-S safety digital input/output module............................................................................................ 903.4.1 Purpose.................................................................................................................................... 903.4.2 Functionality............................................................................................................................. 913.4.3 Mounting, dimensions and electrical connection..................................................................... 953.4.4 Internal data exchange............................................................................................................. 993.4.5 I/O configuration....................................................................................................................... 993.4.6 Parameterization...................................................................................................................... 993.4.7 Circuit examples DX581-S..................................................................................................... 1003.4.8 LED status display................................................................................................................. 1063.4.9 Technical data........................................................................................................................ 1073.4.10 Ordering data........................................................................................................................ 111
3.5 AI581-S safety analog input module...................................................................................................... 1123.5.1 Purpose.................................................................................................................................. 1123.5.2 Functionality........................................................................................................................... 1133.5.3 Mounting, dimensions and electrical connection.................................................................... 1153.5.4 Internal data exchange........................................................................................................... 1183.5.5 I/O configuration..................................................................................................................... 1183.5.6 Parameterization.................................................................................................................... 1183.5.7 Circuit examples AI581-S....................................................................................................... 1193.5.8 LED status display................................................................................................................. 1253.5.9 Technical data........................................................................................................................ 1263.5.10 Ordering data....................................................................................................................... 129
3.6 TU582-S safety I/O terminal unit........................................................................................................... 1303.6.1 Functionality........................................................................................................................... 1303.6.2 Mounting, dimensions and electrical connection................................................................... 1313.6.3 Technical data........................................................................................................................ 1333.6.4 Ordering data......................................................................................................................... 134
4 Configuration and programming............................................................................................................... 1354.1 Overview............................................................................................................................................... 135
4.1.1 Automation Builder................................................................................................................. 1354.1.2 Safety engineering................................................................................................................. 1354.1.3 Safety measures.................................................................................................................... 1364.1.4 Protection against unintended modifications......................................................................... 136
4.2 Workflow................................................................................................................................................ 1364.3 System configuration and programming................................................................................................ 137
4.3.1 Installation.............................................................................................................................. 1374.3.2 License activation................................................................................................................... 1374.3.3 Creation of new project and user management..................................................................... 1374.3.4 Working with PROFINET/PROFIsafe F-Devices................................................................... 1384.3.5 Instantiation and configuration of safety modules / definition of variable names................... 1404.3.6 Programming of AC500-S safety CPU................................................................................... 148
Table of contents
2022/02/04 3ADR025091M0210, 14, en_US 3
4.3.7 Checking of program and system configuration..................................................................... 1674.4 Safety programming guidelines............................................................................................................. 182
4.4.1 Overview................................................................................................................................ 1824.4.2 Framework............................................................................................................................. 1824.4.3 Language-specific programming guidelines.......................................................................... 1844.4.4 General programming guidelines........................................................................................... 1904.4.5 Safety and non-safety parts of the application....................................................................... 191
4.5 Safety code analysis tool....................................................................................................................... 1914.6 AC500-S libraries.................................................................................................................................. 192
4.6.1 Overview................................................................................................................................ 1924.6.2 Safety_Standard.lib................................................................................................................ 1934.6.3 SafetyBase_PROFIsafe_LV210_AC500_V22.lib................................................................... 1974.6.4 SafetyBlocks_PLCopen_AC500_v22.lib................................................................................ 2024.6.5 SafetyDeviceExt_LV100_PROFIsafe_AC500_V27.lib........................................................... 3054.6.6 SafetyExt2_LV110_AC500_V27.lib........................................................................................ 3094.6.7 SafetyExt_AC500_V22.lib...................................................................................................... 316
5 Safety times................................................................................................................................................. 3345.1 Overview............................................................................................................................................... 3345.2 Fault reaction time................................................................................................................................. 3345.3 Safety function response time............................................................................................................... 334
6 Checklists for AC500-S commissioning................................................................................................... 3436.1 Overview............................................................................................................................................... 3436.2 Checklist for creation of safety application program.............................................................................. 3436.3 Checklist for configuration and wiring.................................................................................................... 3466.4 Checklist for operation, maintenance and repair................................................................................... 3486.5 Verification procedure for safe iParameter setting in AC500-S safety I/Os........................................... 350
6.5.1 Verification procedure workflow............................................................................................. 3506.5.2 Verification tables for iParameter settings in AC500-S safety I/Os........................................ 351
7 Safety application examples...................................................................................................................... 3597.1 Overview............................................................................................................................................... 3597.2 Example 1: diagnostics concept............................................................................................................ 360
7.2.1 Functional description of safety functions.............................................................................. 3607.2.2 Graphical overview of safety application interface................................................................. 3617.2.3 Declaration of used variables................................................................................................. 3617.2.4 Program example................................................................................................................... 3627.2.5 Additional notes...................................................................................................................... 363
7.3 Example 2: muting................................................................................................................................. 3647.3.1 Functional description of safety functions.............................................................................. 3647.3.2 Graphical overview of the safety application interface........................................................... 3657.3.3 Declaration of used variables................................................................................................. 3657.3.4 Program example................................................................................................................... 3677.3.5 Additional notes ..................................................................................................................... 367
7.4 Example 3: two-hand control................................................................................................................. 3687.4.1 Functional description of safety functions.............................................................................. 3687.4.2 Graphical overview of the safety application interface........................................................... 3697.4.3 Declaration of used variables................................................................................................. 3707.4.4 Program example................................................................................................................... 3707.4.5 Additional notes...................................................................................................................... 371
8 Index............................................................................................................................................................. 372Appendix...................................................................................................................................................... 375
Table of contents
2022/02/043ADR025091M0210, 14, en_US4
A System data for AC500-S-XC................................................................................................... 376B Usage of safety CPU with AC500 V2 non-safety CPU PM5xx................................................. 382C Usage of safety CPU with AC500 V3 non-safety CPU PM56xx............................................... 400D Release information.................................................................................................................. 418
Table of contents
2022/02/04 3ADR025091M0210, 14, en_US 5
—1 Introduction1.1 Purpose
This safety user manual describes AC500-S safety PLC system. It provides detailed informationon how to install, run, program and maintain the system correctly in functional safety applica-tions up to SIL 3 according to IEC 61508, max. SIL 3 according to IEC 62061 and performancelevel e (category 4) according to ISO 13849-1.ABB’s AC500 series is a PLC-based modular automation solution that makes it easy to mix andmatch safety and non-safety I/O modules to meet automation market requirements.
1.2 Document historyRev. Description of version / changes Who Date1.3.0 Various improvements in the text. Company name was changed. Pro-
gramming environment for safety devices was renamed to "AC500-SProgramming Tool".Major changes:● New PROFIsafe V2.6 protocol features were added, e.g.:
– FLOAT32, INT32, UINT32 are supported– Chapter 4.3.5: PROFIsafe V2.6 F-Parameters were added– Chapter 4.3.6.1: PROFIsafe V2.6 F-(Sub)Modules were added– Chapter 4.6.3: Updated according to the new F-Host library Safe-
tyBase_PROFIsafe_LV210_AC500_V22.lib– Appendix B.2.1: PROFIsafe V2.6 F-Device diagnosis messages
are added● New chapter 4.6.6.4: Specific functions for user-defined CRC (new
function blocks in library SafetyExt2_LV110_AC500_V27.lib)● New appendix D: Firmware / software version tracking
ABB 04.02.2022
1.2.1 Various improvements in the text.Major changes:● Chapters 3.4.7 and 3.5.7: New circuit examples for DX581-S and
AI581-S were added.● Chapter 4.1: Information about new Safety Engineering was added.● Chapter 6.2: New check list item no. 23 for endianness checks was
added.
ABB 24.03.2021
1.2.0 Various typos were corrected and various improvements in the texts andillustrations were made. Layout was changed to current ABB branding.Major changes:● Chapter 4.3.7.1: New safety verification tool SVT was added.● Safety modules are supported by AC500 V3 non-safety CPUs. Spe-
cific information on handling safety modules with non-safety CPUstransferred to appendices B + C.Appendix B contains all specific information about safety moduleswith V2 non-safety CPUs PM5xx.Appendix C contains all specific information about safety moduleswith V3 non-safety CPUs PM56xx.
● Chapter 3.1.2.6: "Firmware, boot code and boot project update" wasupdated.
● Assembly instructions of safety I/O modules were updated.
ABB 19.06.2020
IntroductionDocument history
2022/02/043ADR025091M0210, 14, en_US6
Rev. Description of version / changes Who Date1.1.0 Various typos were corrected. Various improvements in the text.
Major changes:● Information about SM560-S-FD-1(-XC) and SM560-S-FD-4(-XC)
safety CPUs was added.● Ch. 4.6.7: New PROFIsafe F-Device library SafetyDevi-
ceExt_LV100_PROFIsafe_AC500_V27.lib was added.● Ch. 4.6.8: New Safety library SafetyExt2_LV100_AC500_V27.lib was
added.● Detailed information about relevant standards was added.● Checklists for AC500-S commissioning in Chapter 6 were updated.
ABB 16.03.2018
1.0.5 Various typos were corrected. Minor improvements in the text andremoval of screen shots for older versions of Automation Builder.Major changes:● New PROFIsafe F-Host library SAFETY-
BASE_PROFIsafe_LV200_AC500_V22.lib is used in the document.● FAQ (Frequently Asked Questions) list was added.● Ch. 2.4: Detailed safety values for AC500-S modules were provided.● Ch. 4.3.6: "DANGER!" note was added to explain PROFIsafe
Device_Fault bit usage.● Ch. 6.3: New checklist item 9 was added.
ABB 23.10.2017
1.0.4 Various typos were corrected. Minor improvements in the text.Major changes:Licensing information was updated:● Ch. 4.1: Notice Block with reference to PS501-S license installation
removed.● Ch. 4.2: Figure 63 updated (Programming workflow, step 2) was
enhanced for the license handling of Automation Builder versionV2.0.2 (or higher).
● Ch. 4.3.2: "Licence activation" was extended with additional licensinginformation for usage of Automation Builder version V2.0.2 (orhigher).
Additional information according to the new F-Host library "SAFETY-BASE_PROFIsafe_AC500_V22_Ext.lib" was added:● Ch 4.6.1: Table for library "SAFETY-
BASE_PROFIsafe_AC500_V22_Ext.lib" was updated.● Ch. 4.6.3: The chapter was updated and renamed acc. to the new
library name "SAFETYBASE_PROFIsafe_AC500_V22_Ext.lib".● Ch. 6.2: Checklist item 20 was updated according to the new library
name "SAFETYBASE_PROFIsafe_AC500_V22_Ext.lib".
ABB 27.03.2017
Introduction
Document history
2022/02/04 3ADR025091M0210, 14, en_US 7
Rev. Description of version / changes Who Date1.0.3 Various typos were corrected. Additional abbreviations were included in
the abbreviation list.The entire document was re-styled:● The yellow background on notices and recommendations was
replaced by a light-grey background because of document standardi-zation.
● "DANGER" and "NOTICE" symbols were replaced by standard sym-bols from German Standard DIN 4844-2 in text boxes.
The text was changed in the document:● More standard terms are now used in the document.● Values for storage and transport temperatures were extended.● Vertical mounting option (with derating) is added for SM560-S Safety
CPU and corrected for DI581-S and AI581-S Safety I/O modules.● LREAL is not supported by SM560-S Safety CPUs and was removed
from the document.● POU SF_MAX_POWER_DIP_GET description was modified.● "DANGER" text box was added for POU
SF_DPRAM_PM5XX_S_SEND to explain limitations for POU usage.● F_WD_Time2 and Device_WD2 term definitions in Chapter 5.3 were
corrected.● "F_Host_WD" was replaced with "the value set using
SF_WDOG_TIME_SET" inside of "NOTICE" box in Chapter 5.3
ABB 28.05.2015
1.0.2 Words "Original Instructions" have been added to document title ABB 17.04.2015
1.0.1 Minor typos were corrected. TÜV SÜD certificate was added.The text was changed in the document:● Safety I/O inputs and outputs are not electrically isolated from the
other electronic circuitry of the module.● The safety values for safety outputs of DX581-S (-XC) module are
only valid if the parameter "Detection" is set to "On".● DC (diagnostic coverage) for DX581-S (-XC) module shall be
≥ 94 %.● The clarification was added that the boot project update on SM560-S
is possible only if no boot project is loaded on SM560-S.● Not more than one communication error (CE_CRC or Host_CE_CRC
output signals become equal to TRUE) per 100 hours is allowed tobe acknowledged by the operator using OA_C input signal withoutconsulting the responsible safety personnel.
● SM560-S cycle time shall be included three times instead of twotimes in Safety Function Response Time calculation.
● The values for input delay accuracy in Safety Function ResponseTime calculation were updated.
● Update of Appendix A with system data for AC500-S-XC.
ABB 08.03.2013
1.0.0 First release ABB 19.12.2012
1.3 ValidityThe data and illustrations found in this documentation are not binding. ABB reserves the right tomodify its products in line with its policy of continuous product development.
IntroductionValidity
2022/02/043ADR025091M0210, 14, en_US8
1.4 Important user informationThis documentation is intended for qualified personnel familiar with functional safety. You mustread and understand the safety concepts and requirements presented in this safety usermanual prior to operating AC500-S safety PLC system.The following special notices may appear throughout this documentation to warn of potentialhazards or to call attention to specific information.
DANGER!The notices referring to your personal safety are highlighted in the manual bythis safety alert symbol, which indicates that death or severe personal injurymay result if proper precautions are not taken.
NOTICE!This symbol of importance identifies information that is critical for successfulapplication and understanding of the product. It indicates that an unintendedresult can occur if the corresponding information is not taken into account.
1.5 Definitions, expressions, abbreviations1oo2 One-out-of-Two safety architecture, which means that it includes two channels
connected in parallel, such that either channel can process the safety function.
AC500 ABB non-safety PLC
AC500-XC ABB non-safety PLC suitable for extreme environmental conditions
AC500-S ABB safety PLC for applications up to SIL 3 (IEC 61508), max. SIL 3(IEC 62061) and PL e (ISO 13849-1)
AC500-S-XC ABB safety PLC for applications up to SIL 3 (IEC 61508), max. SIL 3(IEC 62061) and PL e (ISO 13849-1) suitable for extreme environmental condi-tions
AC500-SProgrammingTool
IEC 61131-3 editor, included in engineering suite Automation Builder
ADC Analog to digital converter
AOPD Active opotoelectronic protective device
AutomationBuilder
Integrated engineering suite for ABB PLCs, including the AC500-S Program-ming Tool
CCF Common cause failure
ControlBuilder PlusPS501
Integrated engineering suite for ABB PLCs, including the AC500-S Program-ming Tool, predecessor of Automation Builder
CPU Central processing unit
CRC Cyclic redundancy check. A number derived from and stored or transmittedwith a block of data in order to detect data corruption.
DC Diagnostic coverage
DPRAM Dual-ported random access memory
DUT Data unit type
IEC International electro-technical commission standard
Introduction
Definitions, expressions, abbreviations
2022/02/04 3ADR025091M0210, 14, en_US 9
EDM External device monitoring signal, which reflects the state transition of anactuator
EMC Electromagnetic compatibility
EN European norm (european standard)
EPROM Erasable programmable read-only memory
Error severity Indicated by a number. The lower the number is, the more critical is the dis-played error.E.g., "1" = the CPU does not start because the error does not allow a normaloperation, "11" = different parameter settings
ESD Electro static discharge
ESPE Electro-sensitive protective equipment (for example a light curtain)
F-Host Data processing unit that is able to perform a special protocol and to servicethe "black channel" Ä [2]
F-Device Passive communication peer that is able to perform the special protocol, usu-ally triggered by the F-Host for data exchange Ä [2]
F-Parameter Fail-safe parameter as defined in Ä [2]
FAQ Frequently asked questions
FB Function block
FBD Function block diagram (IEC 61131 programming language)
Flashmemory
Non-volatile computer storage chip that can be electrically erased and reprog-rammed
FSCP Functional safety communication profile
FV Fail-safe value
GSDML Generic station description markup language
ID Identification
IO controller Controller that controls the automation task in PROFINET context
IO device Field device, monitored and controlled by an IO controller in PROFINET con-text
iParameter Individual safety device parameter
LAD Ladder logic diagram (IEC 61131 programming language)
Loop-back The programmable routing feature of a bus device re-routes unintentionally anF-Host message back to the F-Host, which expects a message of the samelength (refer to www.profisafe.net for further details).
LSB Least significant bit
Max. SIL Maximum safety integrity level (IEC 62061)
MSB Most significant bit
MTBF Mean time between failures
MTTF Mean time to failure
Muting Muting is the intended suppression of the safety function. This is required, e.g.when transporting the material into the danger zone.
NC Break contact. Normally-closed contacts disconnect the circuit when the relayis activated; the circuit is connected when the relay is inactive.
NO Make contact. Normally-open contacts connect the circuit when the relay isactivated; the circuit is disconnected when the relay is inactive.
OEM Original equipment manufacturer
OSSD Output signal switching device
IntroductionDefinitions, expressions, abbreviations
2022/02/043ADR025091M0210, 14, en_US10
Passivation The passivation is the special state of safety I/O modules which leads to thedelivery of safe substitute values, which are ‘0’ values in AC500-S, to thesafety CPU.
PC Personal computer
PELV Protective extra low voltage
PES Programmable electronic system (refer to IEC 61508)
PFD Probability of failure on demand
PFH Probability of failure per hour
PL Performance level according to ISO 13849-1
PLC Programmable logic controller
POU Program organization unit
Power cycle Power cycle means to power off the safety CPU, wait for at least 1.5 s andpower on the safety CPU again.
PROFIsafe Safety-related bus profile of PROFIBUS DP/PA and PROFINET IO for commu-nication between the safety program and the safety I/O in the safety system
PROFINET Industrial technical standard for data communication over Industrial Ethernet
Proof TestInterval
The proof test is a periodic test performed to detect failures in a safety-relatedsystem so that, if necessary, the system can be restored as close as possibleto its previous new state. The time period between these tests is the proof testinterval.
PS Programming system
PTC Positive temperature coefficient
RAM Random access memory
Reintegration It is the process of switching from substitute values "0" to the process data.
RIOforFA Profile for remote I/O for factory automation. To get quality information of achannel synchronously via the diagnosis mechanism Ä [12].
Safety vari-able
It is a variable used to implement a safety function in a safety-related system
SCA Safety code analysis - ABB software tool to automatically check the safetyprogramming rules
SD card Secure digital memory card
SELV Safety extra low voltage
SFRT Safety function response time
SIL Safety integrity level (IEC 61508)
ST Structured text (IEC 61131 programming language)
SVT Safety Verification Tool - ABB software tool to verify the AC500-S safety config-uration in Automation Builder
TÜV Technischer Überwachungs-Verein (technical inspection association)
TWCDT Total worst case delay time
ULP Unit in the last place, which is the spacing between floating-point numbers,i.e., the value the least significant bit represents if it is 1 (refer to http://en.wikipedia.org/wiki/Unit_in_the_last_place for more details).
WLAN Wireless local area network
Introduction
Definitions, expressions, abbreviations
2022/02/04 3ADR025091M0210, 14, en_US 11
1.6 Functional safety certificationThe AC500-S safety modules are safety-related up to SIL 3 according to IEC 61508, max. SIL 3according to IEC 62061 and PL e according to ISO 13849-1, as certified by TÜV SÜD RailGmbH (Germany).The AC500-S is a safety PLC which operation reliability is significantly improved compared toa non-safety PLC using 1oo2 redundancy in the hardware and additional diagnostic functionsin its hardware and software. The embedded safety integrity diagnostic functions are based onthe safety standards current at the time of certification Ä TÜV SÜD Rail Certification Report forAC500-S [1]. These safety integrity tests include test routines, which are run during the wholeoperating phase, making the AC500-S safety PLC suitable for the safety machinery and processapplications up to SIL 3 according to IEC 61508, max. SIL 3 according to IEC 62061 and PL eaccording to ISO 13849-1.
NOTICE!Please refer to TÜV SÜD Rail Certification Report for AC500-S Ä [1] for acomplete list of standards and further details, like versions of standards, etc.
The proof test interval for the AC500-S safety PLC is set to 20 years.PFH, PFD, MTTFd, category and DC values from IEC 61508, IEC 62061 and ISO 13849-1for AC500-S safety modules satisfy SIL 3, max. SIL 3 and PL e requirements Ä Chapter 2.4“Safety values” on page 19.
1.7 References / related documents[1] - TÜV SÜD Rail Certification Report for AC500-S Safety PLC, Version - 2018 (or newer),
available at www.abb.com/plc
[2] - PROFIsafe - Profile for Safety Technology on PROFIBUS and PROFINET Profile part,related to IEC 61784-3-3, Version 2.6MU1, 2018/08 (or newer)
[3] - AC500 user documentation for Automation Builder / Control Builder Plus, available atwww.abb.com/plc
[4] - IEC 61131, 2003 (or newer), Programmable Controllers, Part 3 - Programming Lan-guages
[5] - Computer Science and Engineering at University of California, Riverside, Chapter 14,Ch14_Floating Point Calculations and its drawbacks.pdf
[6] - User Examples with PLCopen Safety Functions, Version 1.0.1, 2008 (or newer)[7] - PROFIsafe System Description, Version - Nov. 2007 (or newer)[8] - PLCopen Safety: Concepts and Function Blocks, Version 1.0, 2006 (or newer)[9] - ISO 13849-1: Safety of machinery - Safety-related parts of control systems - Part 1:
General principles for design, 2015 (or newer)[10] - PROFIBUS Guideline: PROFIsafe - Environmental Requirements, V2.5, March 2007 (or
newer)[11] - PROFIBUS Guideline: Communication Function Blocks on PROFIBUS DP and
PROFINET IO, V2.0, November 2005. Order No. 2.182 (or newer)[12] - RIO-FA_3242_V110_Aug18.pdf, 2018/10/30, version 1.1.0, order no. 3.242, https://
de.profibus.com/downloads/remote-io-for-factory-automation-rio-for-fa
IntroductionReferences / related documents
2022/02/043ADR025091M0210, 14, en_US12
1.8 Applicable standardsStandard Date TitleIEC 61508 2010 Functional safety of electrical/electronic/programmable elec-
tronic safety-related systems
IEC 62061 2021 Safety of machinery - Functional safety of safety-related elec-trical, electronic and programmable electronic control systems
ISO 13849-1 2015 Safety of machinery - Safety-related parts of control systems -Part 1: General principles for design
IEC 60204-1 2016 Safety of machinery - Electrical equipment of machines - Part1: General requirements
IEC 61496-1 2020 Safety of machinery - Electro-sensitive protective equipment
IEC 61511-1+ AMD1
20162017
Functional safety - Safety instrumented systems for theprocess industry sector - Part 1: Framework, definitions,system, hardware and software requirements
IEC 61326-3-1 2017 EMC for functional safety
IEC 61131-2 2017 Programmable controllers - Part 2: Equipment requirementsand tests
ISA-71.04-2013Harsh group A
2016 Environmental Conditions for Process Measurement and Con-trol Systems - Airborne Contaminants
IEC 60721-3-3 2002 Classification of environmental conditions - Part 3-3: Classifi-cation of groups of environmental parameters and their severi-ties - Stationary use at weather protected locations
CISPR 16-1-2 2014 Specification for radio disturbance and immunity measuringapparatus and methods - Part 1-2: Radio disturbance andimmunity measuring apparatus - Ancillary equipment - Con-ducted disturbances
CISPR 16-2-1 2017 Specification for radio disturbance and immunity measuringapparatus and methods - Part 2-1: Methods of measurementof disturbances and immunity - Conducted disturbance meas-urements
CISPR 16-2-3 2016 Specification for radio disturbance and immunity measuringapparatus and methods - Part 2-3: Methods of measurementof disturbances and immunity - Radiated
IEC 61000-4-2 2008 Electromagnetic compatibility (EMC) - Part 4-2: Testing andmeasurement techniques - Electrostatic discharge immunitytest
IEC 61000-4-3 2010 Electromagnetic compatibility (EMC) - Part 4-3: Testing andmeasurement techniques - Radiated, radio-frequency, electro-magnetic field immunity test
IEC 61000-4-4 2012 Electromagnetic compatibility (EMC) - Part 4-4: Testingand measurement techniques - Electrical fast transient/burstimmunity test
IEC 61000-4-5 2017 Electromagnetic compatibility (EMC) - Part 4-5: Testing andmeasurement techniques - Surge immunity test
IEC 61000-4-6 2013 Electromagnetic compatibility (EMC) - Part 4-6: Testing andmeasurement techniques - Immunity to conducted distur-bances, induced by radio-frequency fields
IEC 61000-4-8 2009 Electromagnetic compatibility (EMC) - Part 4-8: Testing andmeasurement techniques - Power frequency magnetic fieldimmunity test
Introduction
Applicable standards
2022/02/04 3ADR025091M0210, 14, en_US 13
Standard Date TitleIEC 60715 2017 Dimensions of low-voltage switchgear and controlgear -
Standardized mounting on rails for mechanical support ofswitchgear, controlgear and accessories
IEC 60068-2-1 2009 Environmental testing - Part 2-1: Tests - Test A: Cold
IEC 60068-2-6 2007 Environmental testing - Part 2-6: Tests - Test Fc: Vibration(sinusoidal)
IEC 60068-2-27 2008 Environmental testing - Part 2-27: Tests - Test Ea and guid-ance: Shock
IEC 60068-2-30 2005 Environmental testing - Part 2-30: Tests - Test Db: Damp heat,cyclic (12 + 12 h cycle)
IEC 60068-2-52 2017 Environmental testing - Part 2-52: Tests - Test Kb: Salt mist,cyclic (sodium chloride solution)
IEC 60068-2-64 2008 Environmental testing - Part 2-64: Tests - Test Fh: Vibration,broadband random and guidance
IEC 60068-2-78 2012 Environmental testing - Part 2-78: Tests - Test Cab: Dampheat, steady state
NOTICE!Contact ABB technical support for further details.
IntroductionApplicable standards
2022/02/043ADR025091M0210, 14, en_US14
—2 Overview of AC500-S safety PLC2.1 Overview
The AC500-S is realized as 1oo2 system (both safety CPU and safety I/O modules) and canbe used to handle safety functions with SIL 3 (IEC 61508), max. SIL 3 (IEC 62061) and PL e(ISO 13849-1) requirements in high-demand systems of safety machinery applications and low-demand systems of safety process applications. 1oo2 system includes two microprocessors.Each of them executes the safety logic in its own memory area and both compare the results ofthe execution. If a mismatch in the execution or an error is detected, the system goes to a safestate, which is described for each of the safety modules separately.
2.1.1 SystemThe AC500-S safety PLC is an integrated part of AC500 platform with a real common look &feel engineering approach. Due to a tight integration in AC500 PLC platform, the generic AC500system characteristics (mechanics, programming, configuration etc.) are also valid for AC500-Ssafety modules.All non-safety AC500 modules are considered to be interference-free modules for AC500-Ssafety PLC. In contrast to safety modules, interference-free modules are not used to performsafety functions. A fault in one of these modules does not influence the execution of the safetyfunctions in a negative way.The term "integrated safety" applied for AC500-S safety PLC and AC500 platform means:● One PROFINET IO fieldbus is used for safety and non-safety communication.● The same engineering environment with real look & feel is used for both safety and non-
safety programming.● The same hardware and wiring look & feel is used within safety and non-safety modules.● The same diagnostics concept is used for safety and non-safety modules.
Overview of AC500-S safety PLC
Overview > System
2022/02/04 3ADR025091M0210, 14, en_US 15
Fig. 1: Overview on ABB’s AC500 family with safety and non-safety modules
1 Non-safety communication moduleAC500 covers all common communications standards, such as Ethernet, EtherCAT,PROFINET IO, PROFIBUS DP, CANopen, DeviceNet, Modbus TCP, Modbus serial, Serial,ABB CS31 and PROFIsafe via PROFINET. Combinable to form optimally scaled networknodes, ABB’s AC500 is suitable for both small-scale applications and large-scale industrialsystems.
2 Safety CPUSafety CPUs certified up to SIL 3 (IEC 61508), max. SIL 3 (IEC 62061) and PL e(ISO 13849-1). An array of features such as system diagnostics provided via LEDs andonboard display of non-safety CPUs provides the added diagnostic concept required forintegrated safety.
3 Non-safety CPUABB’s complete AC500 range of non-safety CPUs can be used with safety CPU to createcustomized solutions - even for the most challenging requirements. The programming ofsafety and non-safety applications is offered via a non-safety PLC interface.
4 Safety I/O moduleSafety I/O modules certified up to SIL 3 (IEC 61508), max. SIL 3 (IEC 62061) and PL e(ISO 13849-1). Features such as channel-wise error diagnostics and the flexibility to choosebetween channel-wise or module switch-off in case of channel error make working safelyeasier.
5 Non-safety I/O moduleWith ABB’s non-safety I/O modules, the complete S500 and S500-eCo I/O module rangecan be connected to the non-safety PLC. A wealth of functions in AC500 configurableI/O modules allows getting the customized and low-priced solutions to optimize industrialapplications.
2.1.2 Safety componentsThe AC500-S safety PLC includes the following safety-related hardware components.
Overview of AC500-S safety PLCOverview > Safety components
2022/02/043ADR025091M0210, 14, en_US16
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
ADDRx10H
ADDRx01H
Safety CPU (safety module) for up to SIL 3 (IEC 61508), max. SIL 3 (IEC 62061) and PL e(ISO 13849-1) safety applications.
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Safety binary input module DI581-S with 16 safety input channels (up to SIL 2 or PL d) or 8safety input channels (up to SIL 3 or PL e) with 8 test pulse output channels.
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Safety binary input/output module DX581-S with 8 safety output channels (up to SIL 3 or PL e)and 8 safety input channels (up to SIL 2 or PL d) or 4 safety input channels (up to SIL 3 or PL e)with 4 test pulse output channels.
SM560-S /SM560-S-FD-1 /SM560-S-FD-4
DI581-S
DX581-S
Overview of AC500-S safety PLC
Overview > Safety components
2022/02/04 3ADR025091M0210, 14, en_US 17
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Safety analog input module AI581-S with 4 safety current input channels 0 ... 20 mA (up toSIL 2 or PL d) or 2 safety current input channels (up to SIL 3 or PL e).
The following interference-free component shall be used for mounting safety I/O modules:
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
Spring-type terminal unit TU582-S for safety I/O modules.
2.2 Intended useThe user shall coordinate usage of ABB AC500-S safety components in his applications with thecompetent authorities and get their approval. ABB assumes no liability or responsibility for anyconsequences arising from the improper use:● Non-compliance with standards and guidelines● Unauthorized changes to equipment, connections and settings● Use of unauthorized or improper equipment● Failure to observe the safety instructions in this guide
AI581-S
TU582-S
Overview of AC500-S safety PLCIntended use
2022/02/043ADR025091M0210, 14, en_US18
2.3 Safety loopThe safety loop, to which the AC500-S safety PLC belongs, consists of the following three parts:sensors, safety PLC and actuators.
~35 % of safety loop PFH ~1 5 % of safety loop PFH ~50 % of safety loop PFH
Safety loop
Safety PLC
Sensor Safety CPU Module
Safety Input Module
Safety Output Module
Actuator
Fig. 2: Typical safety loop with AC500-S safety PLC
For the calculation of the PFH/PFD values of an exemplary safety system, 15 % is normallyassumed for the safety PLC.
2.4 Safety valuesTable 1: The following safety values shall be used for AC500-S safety modules:Type SIL(1)
max.SIL(2)
PL(3) DC(4) MTTFd(5) PFHd(6) PFHd(7) PFDg(8) T1(9) SFF(10) b(11)
SM560-S(-XC) /SM560-S-FD-1(-XC) / SM560- S-FD-4(-XC)
3 e 97 1280 1.90E-09 8.95E-11 7.90E-06 20 98 2
AI581-S(-XC) 3 e 97 920 2.95E-09 4.50E-10 3.80E-05 20 99 2
DI581-S(-XC) 3 e 95 2270 1.45E-09 4.40E-10 3.70E-05 20 98 2
Inputs ofDX581-S(-XC)
3 e 94 2250 1.45E-09 4.50E-10 3.80E-05 20 98 2
Outputs ofDX581-S(-XC)with parameterDetection ="On"
3 e 94 1985 1.60E-09 4.50E-10 3.80E-05 20 99 2
Outputs ofDX581-S(-XC)with parameterDetection = "Off"
2 d 85 200 1.19E-08 1.08E-08 4.70E-04 20 onrequest
2
Overview of AC500-S safety PLC
Safety values
2022/02/04 3ADR025091M0210, 14, en_US 19
(1) - SIL (safety integrity level) according to IEC 61508(2) - Max. SIL (maximum safety integrity level) according to IEC 62061(3) - PL (performance level) according to ISO 13849-1(4) - Diagnostic coverage, % (refer to ISO 13849-1)(5) - Mean time to failures (years) dangerous according to ISO 13849-1(6) - Probability of dangerous failure per hour according to IEC 62061(7) - Probability of dangerous failure per hour according to IEC 61508 (High demand mode)(8) - Average probability of failure to perform its design function on demand according to
IEC 61508 (Low demand mode)(9) - Proof test interval - mission time - lifetime years(10) - SFF (safe failure fraction), % according to IEC 61508(11) - b (beta factor), % for common cause failures according to IEC 61508
DANGER!Safety value calculation uses the average temperature. The average tempera-ture for both the extended temperature range (-40 ... +70 °C) as well as fornormal temperature range (0 ... +60 °C) is defined to +40 °C.Ensure that average operating temperature for used AC500-S and AC500-S-XCmodules does not exceed +40 °C.
2.5 Qualified personnelAC500-S safety PLC may only be set up and used in conjunction with this documentation.Safety application engineer of AC500-S safety PLCCommissioning and operation of AC500-S safety PLC may only be performed by the qualifiedpersonnel who is authorized to commission safety devices, systems and circuits in accordancewith established functional safety practices and standards.The following basic knowledge of AC500 system is required to correctly understand thisAC500-S safety user manual:● AC500 automation system.● Automation Builder / Control Builder Plus programming environment (system configuration
and programming in ST, LAD and FBD programming languages).
2.6 LifecycleAll AC500-S safety modules have a maximum life of 20 years. This means that all AC500-Ssafety modules shall be taken out of service or replaced by new AC500-S safety modules atleast one week before the expiry of 20 years (counted from the date of delivery by ABB).
2.7 Installation of safety modulesThe following rules shall be taken into account for installing safety modules:● The installation must be done according to the documentation with appropriate facilities and
tools.● The installation of the devices may be done only in de-energized condition and carried out
by the qualified personnel.
Overview of AC500-S safety PLCInstallation of safety modules
2022/02/043ADR025091M0210, 14, en_US20
● The general safety regulations and applicable national safety regulations shall be strictlyobserved.
● The electrical installation shall be carried out in accordance with relevant regulations.● Take the necessary protective measures against static discharge.
NOTICE!PLC damage due to wrong enclosuresAC500-S safety modules shall be used in enclosed switchgear cabinets whichare suitable for modules with IP 20 degree of protection. Ä Refer to [3] for moredetails.
2.8 Exchange of modulesSM560-S / SM560-S-FD-1 / SM560-S-FD-4 safety CPU automatically detects an exchange ofsafety I/O modules during the system start-up. The overall system (safety CPU and PROFIsafefeatures of unique addresses for safety devices Ä [2]) provides a mechanism to automaticallyensure that exchanged safety modules are operated with correct parameters and incompatiblemodule types are rejected. No unsafe state is possible if wrong safety I/O module type is put onthe given terminal unit TU582-S.
2.9 AC500-S restart behaviorWhen SM560-S / SM560-S-FD-1 / SM560-S-FD-4 safety CPU is restarted by a power cycle,the previously saved error information is lost. Additional measures in the safety applicationprogram, like saving of the error or other information to the safety CPU flash memory, shall beprogrammed on the safety CPU to persistently save information on it. The safety I/O modulesreceive their parameter sets each time during system start-up. The safety CPU is able toreintegrate safety I/O modules using PROFIsafe start-up behavior Ä [2]. If your process doesnot allow an automatic start-up after power cycle, you must program a restart protection in thesafety program. The safety process data outputs must be blocked until manually acknowledged.These safety outputs must not be enabled until it is safe to do so and faults were corrected.
2.10 Replacing AC500-S safety PLC componentsWhen replacing software components on your programming device or PC with a newer version,you must observe the notes regarding upward and downward compatibility in the documentationand readme files for these products.Hardware components for AC500-S (safety CPU and safety I/Os) are replaced in the same wayas in a non-safety AC500 automation system.
2.11 Environmentally friendly disposalAll AC500-S safety components from ABB are designed with a minimal environment pollutioneffect. To enable environmentally friendly disposal of AC500-S safety components, they canbe partially disassembled to separate various components from each other. Disposal of thosematerials shall be done in accordance with applicable national and international laws.
Overview of AC500-S safety PLCEnvironmentally friendly disposal
2022/02/04 3ADR025091M0210, 14, en_US 21
2.12 Safe communicationSafety data are transferred between safety CPU and safety I/Os using PROFIsafe profile Ä [2].SM560-S / SM560-S-FD-1 / SM560-S-FD-4 safety CPU needs a non-safety CPU to communi-cate to safety I/O modules. All safety-related communication takes place through the non-safetyCPU using a "black channel" principle of data transmission Ä [2].The communication of safety CPU to remote safety I/O modules is done using PROFINET IOfield bus with a PROFIsafe profile for safe data transmission Ä [2]. Safety and non-safety I/Omodules can be mixed on a local I/O bus both in central and remote configuration. PROFINETIO controller communication module (CM579-PNIO) shall be used on non-safety CPUs asa part of the "black channel" to transfer safety data to PROFINET IO devices. PROFINETdevices CI501-PNIO, CI502-PNIO, CI504-PNIO and CI506-PNIO can be used to attach safetyI/O modules in remote configurations.
Fig. 3: AC500-S system setup with PROFINET/PROFIsafe for remote safety I/Os, sensors and actuators
PROFINET/PROFIsafe communication between AC500-S safety CPUs is supported usingCM589-PNIO and/or CM589-PNIO-4 PROFINET IO device communication modules togetherwith SM560-S-FD-1 and/or SM560-S-FD-4 safety CPUs with F-Device functionality on one sideand CM579-PNIO with any AC500-S safety CPU with F-Host functionality on the other side(Fig. 4 on page 23). SM560-S-FD-1 and SM560-S-FD-4 safety CPUs are able to exchange alarge amount of safety data with F-Hosts (3rd party PROFIsafe F-Hosts are supported as well)using PROFINET/PROFIsafe by configuring up to 32 F-Submodules.If using PROFIsafe short frame F-Submodules (supported for PROFIsafe V2.4 and V2.6), amaximum of 384 bytes can be exchanged (max. 32 F-Device instances with 12 bytes safetydata for each input/output direction).
Overview of AC500-S safety PLCSafe communication
2022/02/043ADR025091M0210, 14, en_US22
If using PROFIsafe long frame F-Submodules (supported for PROFIsafe V2.6 only), a maximumof 1353 bytes can be exchanged (max. 11 F-Device instances with 123 bytes safety data foreach input/output direction).SM560-S-FD-1 with F-Device(s) supports safe communication to maximum one F-Host. SM560-S-FD-4 with F-Device(s) supports safe communication to maximum four F- Hosts. Fig. 4 showsthat using SM560-S-FD-1 and SM560-S-FD-4 safety CPUs with additional F-Device function-ality one can establish safe CPU to CPU communication between different control stations onPROFINET/PROFIsafe. SM560-S-FD-4 safety CPUs can simultaneously communicate not onlywith 1 PROFINET IO controller/F-Host (Master) but with up to 4 PROFINET IO controllers/F-Hosts (Masters). In addition to SM560-S-FD-1 and SM560-S-FD-4 safety CPUs, CM589-PNIOand CM589-PNIO-4 PROFINET IO device communication modules are needed to establishPROFINET connectivity as "black channel", respectively, to 1 or up to 4 PROFINET IO control-lers.
Fig. 4: Exemplary setup for safe CPU to CPU communication between various safety CPUs (SM560-S / SM560-S-FD-1 / SM560-S-FD-4)
The following communication requirements shall be fulfilled for using AC500-S safety PLC:● Safety data cannot be transferred over public networks, e.g., internet. If safety data is
transferred across company/factory networks, ensure that sufficient protection is providedagainst manipulation (firewall or router for network separation).
● Equipment connected to communication devices shall feature safe electrical isolation.
Overview of AC500-S safety PLC
Safe communication
2022/02/04 3ADR025091M0210, 14, en_US 23
NOTICE!You can use AC500-S safety I/O modules and SM560-S-FD-1 / SM560-S-FD-4safety CPUs with 3rd party F-Hosts on PROFINET. Download and install validABB GSDML files in your 3rd party F-Host engineering environment fromwww.abb.com/plc.After this, you can configure and use these AC500-S modules with 3rd partyF-Host. Contact ABB technical support on how to obtain F_iPar_CRC values ofAC500-S safety I/O modules for 3rd party F-Hosts.Validate that all iParameters (input delay, channel configuration, etc.) for allAC500-S safety I/Os and other F-Devices are correct with a given F_iPar_CRCvalue using appropriate functional validation tests or verification procedure forthose parameters Ä Chapter 6.5 “Verification procedure for safe iParametersetting in AC500-S safety I/Os” on page 350.Default F_iPar_CRC values used in GSDML files for AC500-S safety I/Omodules do not correspond to default iParameter configurations for AC500-Ssafety I/O modules and have to be re-calculated in the engineering tools beforetheir usage. It was done to avoid unintended use of AC500-S safety I/O with 3rdparty F-Hosts.
2.13 Safety function and fault reactionThe main safety function of AC500-S safety PLC is to read safety digital and analog inputsto control the safety digital outputs by the safety logic module (safety CPU) according to auser-defined IEC 61131 application program and configuration.The AC500-S safety PLC can be used as a "de-energize to trip" (normally energized, NE)system. The safe state of the outputs is defined according to the table below:
Table 2: NE safety system behavior Normally energized, NEMode according to IEC 61508 High-demand or low-demand
Safety function De-energize to trip
Safe state De-energized outputs
The purpose of AC500-S safety function is to enable a machine or a process (as a system)to achieve with a given SIL (IEC 61508 and IEC 61511), max. SIL (IEC 62061) and PL(ISO 13849-1) a system safe state. An exemplary safety function on the application level, whichcan be executed by AC500-S in machinery applications, is the emergency stop.
2.13.1 Safety CPU (SM560-S / SM560-S-FD-1 / SM560-S-FD-4)The safety function of the safety CPU is to correctly process signal information. It processessafety input signals and internal data storage to generate signals to safety output modules andset a new state of its internal data storage.If this function cannot be correctly executed, the safety CPU goes to a SAFE STOP state,in which no valid safety telegrams are generated and, as a result, all safety output modulechannels are de-energized (‘0’ state) after watchdog time is expired.Faults in the cyclic communication between the safety CPU and safety I/O modules or otherF-Devices, e.g., SM560-S-FD-1 or SM560-S-FD-4 safety CPUs, are detected by the safety CPUand, as a result, ‘0’ values are handed to the safety application program.The application program developer must implement a specific fault reaction, e.g., setting safetyoutput channels to de-energized (‘0’ state), when required.
Overview of AC500-S safety PLCSafety function and fault reaction > Safety CPU (SM560-S / SM560-S-FD-1 / SM560-S-FD-4)
2022/02/043ADR025091M0210, 14, en_US24
2.13.2 Safety module with safety input channels (DI581-S, DX581-S and AI581-S)The safety function of safety modules (DI581-S, DX581-S and AI581-S) with digital and analoginput channels is to correctly read external analog and/or digital signals. If this function cannotbe correctly executed, the safety module or only its input channel, depending on the fault scope,has to go to a safe state. In case of a channel fault, the safe value (de-energized = ‘0’) istransferred to the safety logic module (e.g., SM560-S) with additional information about the faultfor the given channel.In case of module fault, no valid telegrams are generated by the safety module to the safetylogic module. The values of those safety input channels will be assigned to safe values (de-energized = ‘0’) on the safety CPU.Faults in the cyclic communication between the safety CPU and the safety modules aredetected by the safety modules with input channels. If a communication fault occurs, all inputsof the affected safety module go to a so-called passivation state in which ‘0’ values are sent asprocess values when the communication to the safety CPU is re-established. The switch-over(reintegration) from safety values ‘0’ to process data takes place only after user acknowledg-ment.
2.13.3 Safety module with safety output channels (DX581-S)The safety function of safety modules (DX581-S) with safety output channels is to correctly writetheir output channel signals. If this function cannot be correctly executed, the safety module orits output channel group, depending on the fault scope, has to go to a safe state. In case of achannel fault, the safe value (de-energized = ‘0’) is set for the given safety output channels. Incase of module fault, no valid telegrams are generated by the safety output module to the safetyCPU. The values of all safety output channels will be assigned to safe values (de-energized =‘0’).Faults in the cyclic communication between the safety CPU and the safety output modules aredetected by the safety output module DX581-S. If a communication fault occurs, all outputsof the affected safety output module are de-energized = ‘0’. The switch-over (reintegration)from safety values ‘0’ to process data takes place only after user acknowledgment, when thecommunication is re-established.
2.14 Safety function testAfter creating a safety program and system configuration, you must carry out a completefunction test in accordance with your automation task. For changes made to a safety programwhich has already undergone a complete function test, only the changes need to be tested, if aproper impact analysis was done before.Safety application program, safety I/O configuration, etc. have to be verified and saved forproject data report and archive. The system acceptance test shall follow safety function test.After you finish configuring the hardware and assigning parameters for the safety CPU andsafety I/O modules, you can perform an acceptance test. During the system acceptance test, allrelevant application-specific standards must be adhered.
2.15 TroubleshootingError messages in the diagnosis buffer of non-safety CPU include a description, which shallhelp you to fix potential problems with AC500-S configuration. If some of the problems persistor no error messages are available in the diagnosis buffer, contact ABB technical support forfurther details.
Overview of AC500-S safety PLC
Troubleshooting
2022/02/04 3ADR025091M0210, 14, en_US 25
NOTICE!Make sure that safety I/O modules are properly attached to TU582-S terminalunit with a good electrical contact to avoid unintended system state with pos-sibly wrong LED states Ä Chapter 3.3.3 “Mounting, dimensions and electricalconnection” on page 69 Ä Chapter 3.4.3 “Mounting, dimensions and electricalconnection” on page 95 Ä Chapter 3.5.3 “Mounting, dimensions and electricalconnection” on page 115.
Below you can find a list of known issues and solutions related to AC500-S safety PLC compo-nents:
ID Behavior Potential cause Remedy1. Safety CPU is in RUN or DEBUG
RUN state, but all safety I/Omodules suddenly go to RUN(module passivation) state.
Your program may contain end-less loop which prevents safetyCPU to send valid safety tele-grams to safety I/O modules in aproper time manner (within config-ured watchdog time).
Check (debug) your safety appli-cation program and make surethat no endless loop(s) are in yoursafety application program.
2. No log in is possible to the safetyCPU from the safety project.
Visualization was connecteddirectly to the safety CPU, whichblocks the connection to thesafety CPU.Only one connection to the safetyCPU is allowed at a time.
Disconnect visualization from thesafety CPU.
3. During closing or saving of theproject, modification of the safetyproject, etc. with AutomationBuilder, you may see that no reac-tion comes from the AutomationBuilder and/or safety project. It isas if the application hangs.
The user management ofAutomation Builder requires thatyou confirm your log-on creden-tials for safety components andissues a log-on message boxwhich is not in the foreground.Your previous log-on session hasexpired.
Find a log-on message in thebackground of your Windowsdesktop, log-on and continueyour previous actions. Set longeruser log-on session time forAutomation Builder if this behaviorrepeats Ä [3].
4. Your safety digital input channelis occasionally passivated with aninternal error diagnostic messageon non-safety CPU.With AC500 V2 non-safety CPU:error severity: E3, component: 14,device: 1 ... 10, module: 31,channel: 31, error: 43With AC500 V3 non-safetyCPU: error severity: 3,error code: 16171
One of potential reasons isthat your input signal fre-quency exceeded an allowedinput channel signal frequencyÄ allowed frequency ranges:Chapter 3.3.2 on page 66.
Check that your input signal doesnot exceed the allowed digitalinput signal frequency.
5. DX581-S module is powered on,but no power supply is con-nected to UP clamps of DX581-Smodule.
Wiring error on DX581-S modulewhen +24 V DC is connected toat least one of the safety digitaloutput clamps of DX581-S. As aresult, DX581-S is powered onthrough safety digital outputs.
Check the wiring of DX581-S anddisconnect +24 V DC from thesafety digital output clamp(s).
6. Some channels of a safety I/Omodule or a complete safety I/Omodule is occasionally passivatedwithout a reason (wiring is correct,etc.).
No proper electrical contactbetween a safety I/O module andTU582-S terminal unit.
Make sure that you pressed thesafety I/O module into TU582-Sterminal unit with a force of atleast 100 N, as prescribed inAC500-S checklists.
Overview of AC500-S safety PLCTroubleshooting
2022/02/043ADR025091M0210, 14, en_US26
ID Behavior Potential cause Remedy7. With the increased number of
safety I/O modules in the system,it takes longer to execute “Createboot project” command for thesafety CPU.
The safety CPU is a single-threaded system. The more safetyI/O modules are in the system,the higher is the internal cycletime of the safety CPU to processsafety I/O relevant data.
Currently, there is no possibility tochange this behavior other than tosplit safety I/Os to different safetyCPUs, so that each safety CPUhas less safety I/Os to handle.
8. After log in to safety CPU usingAC500-S Programming Tool, onecan observe a long list of internalconstants with a green font colorfor PROFIsafe F-Host instances.
The option “Replace constants” isselected.
In AC500-S Programming Tool,go to menu “Project è Optionsè Build” and unselect option“Replace constants”.
9. No valid safety project can begenerated (PROFIsafe callbackfunctions are missing and nosafety I/O mapping is created).
A potential reason is that youselected in “Object Properties...è Access rights” for any of thePOUs in the safety project treethe following option:“No Access” or “Read Access” forall “User Groups” with “Apply toall” selection.
Start safety project, log in and goto “Object Properties... è Accessrights” for any of the POUs inthe safety project tree to set “Fullaccess” for any of user groupsfollowed by selection of “Apply toall”.After this, you can success-fully repeat “Create SafetyConfiguration Data” commandfor your safety project fromAutomation Builder.
10. I call CurTimeEx FB from librarySafety_SysLibTime.lib and alwaysget "0" values on the outputs.
CurTimeEx FB is not implementedin the current version of the safetyCPU and is reserved for futureuse.
Do not use CurTimeEx FB in yoursafety application program.
11. ● Set "Enable debug" parameterto “OFF” on the safety CPU.
● Create boot projects for thesafety CPU and the non-safety CPU.
● Execute a power cycle.● Compare safety boot project
CRCs on your PC and thesafety CPU. The comparisonshows that they are the same,which is OK.
● Try to create a boot projectfor the safety CPU. An errormessage follows because of"Enable debug" set to “OFF”for the safety CPU, which isOK.
● Repeat the comparison ofboot project CRCs on yourPC and the safety CPU. Theyare reported to be not equalnow (boot project CRC forthe safety CPU is shownas CDCDCDCD), which canbe misleading since the bootproject on the safety CPU wasnot changed.
AC500-S Programming Tool doesnot support the described usecase.
After power cycle of safety CPU,the correct boot project CRC shallbe shown for the safety CPU.
Overview of AC500-S safety PLC
Troubleshooting
2022/02/04 3ADR025091M0210, 14, en_US 27
ID Behavior Potential cause Remedy12. The serial driver is used to con-
nect to safety CPU. In AC500-SProgramming Tool, one executes“Login” command shortly followedby “Logout” command and shortlyafter this the “Login” commandis again executed. After secondlog in attempt, the communicationerror is shown in AC500-S Pro-gramming Tool.
The serial driver does not haveenough time to be re-initialized.
Wait for at least 20 secondsbefore executing “Login” com-mand after “Logout” was per-formed.
13. ● In AC500-S ProgrammingTool, one executes “Login”command and uses “setpwd”PLC browser command toset a new password, e.g.,"PWD1" for the safety CPU.
● Power cycle is executed forthe safety CPU, but AC500-S Programming Tool remainsopen on end-user PC.
● One executes “Login” com-mand and enters the newpassword "PWD1", which wasset in Step 1. One uses“setpwd” PLC browser com-mand to set a new password,e.g., PWD2, for the safetyCPU.
● Power cycle is executed forthe safety CPU, but AC500-S Programming Tool remainsopen on end-user PC.
● One executes “Login” com-mand and an error messageis shown "You have entered awrong PLC password!". Afterpressing “OK”, you still havea possibility to enter a newpassword "PWD2" and suc-cessfully log in to safety CPU.
AC500-S Programming Toolattempts to log in to the safetyCPU with an old password.
After resetting the safety CPUpassword, close AC500-S Pro-gramming Tool and open it again.The error message will not appearagain.
14. After power-on, safety I/O modulegoes to SAFE STOP state withboth ERR LEDs = ON.
The configured F_Dest_Add valuein Automation Builder projectis not equal to the PROFIsafeaddress switch value on thesafety I/O module.
Make sure that F_Dest_Add valuein Automation Builder project isequal to the PROFIsafe addressswitch value on the safety I/Omodule.
15. No log in to the safety CPU ispossible.
Wrong “Communicationparameters” settings are used.
In AC500-S Programming Tool,check that correct settings of“Communication parameters” areused to connect to the safetyCPU.
16. After the boot project is loadedto the safety CPU, sometimes theV2 non-safety CPU seems to donothing for about 45 seconds untilits ERR-LED is switched on.
Timeout in V2 non-safety CPU. Such situation can be observedvery seldom. There is no remedyfor this behavior of V2 non-safetyCPU at the moment.
Overview of AC500-S safety PLCTroubleshooting
2022/02/043ADR025091M0210, 14, en_US28
ID Behavior Potential cause Remedy17. After power-on of the safety CPU,
it may happen that the safetyCPU does not go to RUN mode.DIAG LED is ON and no bootproject is loaded to the safetyCPU. If you attempt to log in tothe safety CPU, then the followingerror message can be seen inAC500-S Programming Tool: "Noprogram on the controller! Down-load the new program?".
Safety CPU power dip functionis triggered if the pause betweenthe power-off and the followingpower-on phase is less than 1.5 s.The boot project is still on thesafety CPU, but not loaded due topower dip detection. Thus, thereis no need to reload any bootproject to the safety CPU.
Do power-off and power-on of thesafety CPU with a pause betweenpower-off and power-on phase ³1.5 s.
18. If a breakpoint is reached duringdebugging and you try to forcea variable, then this variable isupdated with the forced value onlyin the next safety CPU cycle.
The safety CPU is single-threaded.
This behavior is as designed.
19. During project download to thesafety CPU, the download windowstays with 0 bytes of downloadedcode forever or an error messagepops up.
"Enable debug" parameter wasset to “OFF” for the safety CPUand this configuration data wasdownloaded to non-safety CPU.
Set "Enable debug" parameterto “ON”, generate a new con-figuration and download projectto non-safety CPU. New projectcode can be now downloaded tothe safety CPU through AC500-SProgramming Tool.
20. Unable to log in to the safety CPUafter logout.
Too fast log in to the safety CPUafter logout.
Wait a few seconds (~ 5 - 10 s)after logout from the safety CPUbefore you perform log in to thesafety CPU.
21. Diagnosis message with errorseverity level 3 and error text"Measurement underflow at theI/O module" appears in non-safetyCPU diagnosis system despitethe fact that overcurrent and notundercurrent was observed forthe given AI581-S input channel.
The internal detection mechanismis not always able to differentiatebetween over- and undercurrentbecause the overcurrent is oftenfollowed by undercurrent effects inAI581-S electronics.
There is no remedy for thisproblem yet.
22. "Enable debug" parameter = “ON”was set for the safety CPU andcorrectly loaded to non-safetyCPU. However, one still cannotdebug on the safety CPU.
Safety projects on your PC andin the safety CPU are not thesame. You may get also the fol-lowing message window with thetext: "The program has changed!Download the new program?".
Download your safety project fromyour PC to the safety CPU anddebugging shall be possible now.
Overview of AC500-S safety PLC
Troubleshooting
2022/02/04 3ADR025091M0210, 14, en_US 29
ID Behavior Potential cause Remedy23. In AC500-S Programming Tool,
after using menu item “Onlineè Reset”, the safety CPU goes toDEBUG STOP state (non-safetymode). Safety I/O modules go tomodule passivation state. If youlog in to the safety CPU, thenyou can see OA_Req_S = TRUEbits in PROFIsafe instances of F-Devices. The safety application isnot executed by the safety CPU,but you still can set OA_C =TRUE for F-Devices and they willgo to RUN mode. The safety CPUremains in DEBUG STOP state(non-safety) all the time.
PROFIsafe F-Host does not runin fail-safe mode after using menuitem “Online è Reset”.
This behavior is as designedin the safety CPU Ä Chapter3.1.5.1 “Description of safety CPUmodule states” on page 46.
24. Error message "Error in configura-tion data, safety PLC cannot readconfiguration data" is available onthe safety CPU.
● Downloaded configurations onnon-safety CPU and safetyCPU do not fit to each other.
● No boot project is loaded onthe safety CPU.
● Download valid configura-tions, as part of boot projects,on non-safety CPU and thesafety CPU, respectively, andmake sure that they fit to eachother.
● Download a valid boot projecton the safety CPU.
2.16 FAQ - AC500-S safety PLC● Boot project availability on the safety CPU after power dip or incomplete power cycle
In case of an under- or overvoltage, which may be also caused by an incomplete powercycle (power-off followed by power-on in less than 1.5 s), the safety CPU goes to SAFESTOP state with I-ERR LED ON. However, the boot project is still intact. To put the safetyCPU back to RUN mode, it is necessary to perform two subsequent power cycles. After thefirst power cycle, the safety CPU goes to DEBUG STOP (non-safety) mode state with DIAGLED ON. The second power cycle puts the safety CPU back to RUN (safety) mode.
● Not possible to create a boot project for the safety CPUCheck if the parameter "Enable Debug" for the safety CPU is set to "ON" in AutomationBuilder project and the generated boot project was loaded to the non-safety CPU followedby a power cycle.
● After power cycle, the safety CPU goes into SAFE STOP state (I-ERR ON)This situation could arise due to a corrupt boot project or the rotary switch setting in thesafety CPU is wrongly set to one of these values: 0xFE, 0xFD or 0xFC. Another possibilityis that the safety CPU was powered off too short. To ensure a reliable restart the power-offtime must be ≥ 1.5 s.).
● Channel reintegration of AI581-S safety module is not possible after removal of thefault conditionOnly in the case of a channel passivation due to overcurrent or undercurrent the safetyanalog channel remains passivated for 30 s to restore its initial properties and then thecheck is performed if the error condition is still present or not. If the error has gone, thenthe reintegration request signal for the given channel is set to TRUE to allow channelreintegration. Within previously mentioned 30 s time, the safety analog channel cannot bereintegrated.
Overview of AC500-S safety PLCFAQ - AC500-S safety PLC
2022/02/043ADR025091M0210, 14, en_US30
● Process value of certain configured input is always FALSE (only in 2-channel evalua-tion mode)Our modules are designed in such a way that, in a 2-channel mode, the lower channel(e.g., channels 0/4 ➔ Channel 0, channels 1/5 ➔ Channel 1, etc. for DX581-S module)always transports the aggregated process value, PROFIsafe diagnostic bit, acknowledg-ment request and acknowledge reintegration information. The higher channel always pro-vides the passivated value "0". Thus, a name mapping for the higher channel is not requiredin a 2-channel evaluation mode.
● Acyclic non-safe data exchange takes a very long timeThis behavior depends on the task configuration setting in your non-safety CPU. Adjust thecycle time (e.g., set task cycle time to 1 ms) of your task on non-safety CPU where theacyclic non-safe data exchange FBs are programmed to obtain the best performance.
● When should I use cyclic non-safe data exchange instead of acyclic non-safe dataexchange?If 84 bytes in acyclic non-safe data exchange are not enough or data exchange is too slow,you can use cyclic non-safe data exchange for data up to 2 kB with minimum programmingeffort.In most safety applications, this functionality is not needed and, thus, shall not be used.However, if you still need it, refer to Ä Appendix B.5 “Data exchange between safety CPUand AC500 V2 non-safety CPU” on page 393 Ä Appendix C.5 “Data exchange betweensafety CPU and AC500 V3 non-safety CPU” on page 409.
● Is data communication using acyclic or cyclic non-safe data exchange safe?Data communication using acyclic or cyclic non-safe data exchange is non-safe, becauseit is not protected by any functional safety measures for data communication. However,users may implement their own safety profiles on top of this non-safe communication usingso-called "black channel" principle. Contact ABB technical support for details.
● No detection of wire cross-talk or short circuit to 24 V DC for S-DOs of DX581-S. Whyand how to solve this problem?The outputs of the DX581-S safety module are decoupled from the connected load. Thisis necessary to avoid any influence of connected load on the internal test circuit and,thus, guarantee high robustness (no occasional trips due to false error detection causedby unexpected change of electrical characteristics of the connected load). Therefore, wirecross-talk and short circuit to 24 V DC can be detected only up to the output clamp ofDX581-S safety output, but not on the attached output wire. In most customer cases, errorexclusion due to output wire isolation or, alternatively, the machine re-start (with properstart-up test procedure implemented in the safety CPU program for given S-DOs to activatethem one after each other) at least 1 per month is often enough. The user may also takeother appropriate actions (e.g., by defining appropriate test periods for the safety functionor by reading back the status of the output wire using a safety digital input) to satisfy theirrespective IEC 62061 and ISO 13849-1 requirements, if wire cross-talk or short-circuit to24 V DC shall be detected.
● Is my safety program OK if not all safety programming guidelines and rules checkedby AC500-S safety code analysis (SCA) rules are satisfied?SCA tool only checks whether the static safety programming guidelines or rules are fol-lowed. As such, any errors identified by SCA tool may not necessarily result in machinemalfunction but will require additional argumentation why those exceptions (not fulfilledsafety programming guidelines or rules) are allowed in the given customer safety applicationcase. The latter may delay the certification of customer safety application program.
● What does built-in power supply in the safety I/O module mean?It means that no separate power supply module shall be bought for AC500-S safety I/Os.24 V DC can be directly connected through UP and ZP pins on the terminal unit.
● What is the effect of connecting test pulse of the same type (e.g., T0, T1, T2, T3,etc.) from one module to the safety digital input channel of another module? Are testpulses module-specific?Yes, test pulses are module-specific. As test pulses are module-specific, connecting anytest pulse of the same type from one module and still the same channel on the othermodule would cause channel passivation. This kind of connection is not permitted and notrecommended.
Overview of AC500-S safety PLC
FAQ - AC500-S safety PLC
2022/02/04 3ADR025091M0210, 14, en_US 31
● Will there be a different delay of safety telegram if the safety module is placed inanother physical slot (communication module or I/O module slot)?The telegram delay difference can be negligible in such cases and possible difference is farbelow 1 ms.
● Is 1oo2 internal safety structure applicable for safety inputs only when we have2-channel input?No, the entire AC500-S hardware system is designed using 1oo2 internal safety structure.Hence, even when you connect a single input, internally it is split and processed using 1oo2safety architecture.
● How to interface safety mats/bumpers and safety edges?Most of the safety mats and bumpers in the market come with ASi-Safety option. Withthe help of ASi-Safety to PROFINET/PROFIsafe gateway, you can connect such signals toAC500-S.
● Can we use 2-wire transmitters with analog input?Yes, AI581-S analog module is equipped to handle 2-wire transmitters.
● What is the ON time of a test pulse in DI581-S/DX581-S modules? How often is itrepeated?Test pulse terminal clamps provide 24 V DC signal for monitoring passive sensors with testpulses. This test pulse signal is switched off for a fixed time (1 ms) to LOW state. Thisis valid for both DI581-S and DX581-S module. The test pulse repeats every 58 ms forDI581-S and every 27 ms for DX581-S module on each test pulse channel.
● How often is the safety output OFF when the detection feature is made ON in DX581-Smodule?If the detection is enabled, the output of the DX581-S safety module is tested every 55 ms.Be aware, that the test pulse of the internal main switch can also be observed on eachoutput. The main switch test pulse cannot be disabled and is always present. Its durationis slightly below 1 ms in the worst-case (if the output current is 500 mA) and is almost notvisible in the best-case (if the output current is below 50 mA).
● Can AC500-S safety modules be used in low-demand applications?Yes.
● How to make the safety CPU address switch setting compliant to SIL 3 / PL e if onewants to use its value in the safety application program?One may want to change the safety CPU safety program execution path depending on thesafety CPU configuration switch setting, which can be read in the safety program usingSF_SM5XX_OWN_ADR function block. Changing the safety CPU safety program executionpath depending on the safety CPU address switch setting only is not always enough toreach SIL 3 / PL e. One has to implement some additional mechanisms, e.g., to have asecond point-of-entry for program configuration setting on the application level. This canbe done, e.g., by reading some pre-configured (pre-saved) values from SD card on thenon-safety CPU. This additional pre-configured (pre-saved) value has to be transferred tothe safety CPU and compared against the safety CPU address switch setting before thesafety CPU address switch setting is accepted for the safety CPU safety program executionpath change. This way one can attain a higher functional safety level up to SIL 3 / PL e.
● In which types of applications are FBs like SF_APPL_MEASURE_BEGIN andSF_APPL_MEASURE_END used?These FBs can be used for time profiling of your safety application program, which is oftenvery useful for debugging purposes to find performance bottle-neck in safety applications.For instance, to estimate the actual time taken by the safety CPU to execute a certain partof the safety program logic.
● How can user data on the safety CPU be made persistent?User data can be stored in the non-volatile flash memory of the safety CPU and reador deleted from there using special FBs (SF_FLASH_WRITE, SF_FLASH_READ andSF_FLASH_DEL).
Overview of AC500-S safety PLCFAQ - AC500-S safety PLC
2022/02/043ADR025091M0210, 14, en_US32
● Can errors related to remote PROFINET/PROFIsafe safety modules be captured in thediagnostic buffer of the non-safety CPU?With AC500 V2 non-safety CPU:Yes, you can use special diagnostic FBs to read diagnostic messages from remotesafety modules on the V2 non-safety CPU. These FBs can be found in the libraryProfinet_AC500_V13.lib on the V2 non-safety CPU.With AC500 V3 non-safety CPU:The PROFINET/PROFIsafe related errors can be automatically collected in the diagnosticbuffer of the V3 non-safety CPU.
● Why does non-safety CPU reboot command not reboot remote safety I/O modules?This behavior is as designed. Only central safety I/O modules will be re-initialized afternon-safety CPU reboot command. All remote safety I/O modules may not be re-initializedand have to be acknowledged from the safety program to re-integrate them after non-safetyCPU and safety CPU re-initialization is finished. This behavior (re-initialization or not)depends on PROFINET CI50x-PNIO setting and can be modified.
● Is ST to LAD/FBD conversion possible?Yes, for simple projects involving basic instruction set the conversion is possible. However,not all standard ST constructs can be converted to LAD/FBD. Please keep in mind that aftera conversion from ST to LAD/FBD you cannot reverse the safety program code back to ST.
● In antivalent mode wiring, the NO channel is always connected to the lower channel(the channel that delivers an aggregated 2-channel safety value to the safety CPU). Isthere any specific reason for this?This behavior is as designed to avoid any faults during antivalent sensor wiring and potentialmisinterpretation of which channel delivers an aggregated 2-channel safety value.
● While using our safety and non-safety I/Os with 3rd party safety PLCs, will safety andnon-safety I/O diagnostic messages be available in the diagnostic buffer of those 3rdparty safety PLCs?All diagnostic messages from safety and non-safety I/Os are non-safe data which is col-lected by non-safety CPU (also 3rd party one). All diagnostic messages from safety andnon-safety I/Os are currently available in AC500 diagnostic message format and can beread and put in the diagnostic buffer of 3rd party non-safety CPU by invoking special FBs orusing standard PROFINET diagnosis.
● Who could certify a safety program?All international and national accredited certification bodies like TÜV, EXIDA, UL, etc. (someof them operating around the world) could certify a safety program.
● What are the right steps to develop a safety program?You have to refer to ISO 13849-1 and IEC 62061 guidelines for machine safety applicationdevelopment and to IEC 61511 for process safety application development.
● Is it allowed to use FOR loops in ST programs as an alternative to IF and CASEinstructions for boundary checks in arrays?No, it is not allowed to use it as an alternative.If arrays are used in FOR loops, the programmer must still implement boundary checksusing IF and CASE instructions.
Overview of AC500-S safety PLC
FAQ - AC500-S safety PLC
2022/02/04 3ADR025091M0210, 14, en_US 33
—3 AC500-S safety modules3.1 Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
ADDRx10H
ADDRx01H
1
2
3
Fig. 5: SM560-S / SM560-S-FD-1 / SM560-S-FD-4
1 Five LEDs for status display2 Rotary switch for address/configuration setting3 Label
3.1.1 PurposeSM560-S / SM560-S-FD-1 / SM560-S-FD-4 are safety CPUs for up to SIL 3 (IEC 61508), max.SIL 3 (IEC 62061) and PL e (ISO 13849-1) safety applications. The safety CPU is mounted onthe left side of the non-safety CPU on the same terminal base. The communication between thenon-safety CPU and the safety CPU takes place through the internal communication bus, whichis integrated in the terminal base.Depending on the used terminal base and used non-safety CPU, more than one communicationmodule can be simultaneously employed at one non-safety CPU. However, only one safetyCPU can be operated simultaneously at one non-safety CPU.The safety CPU is programmed and configured via the DPRAM using safety system configu-rator and AC500-S Programming Tool which are a part of the Automation Builder software.The configuration of the safety CPU is saved non-volatile in its flash EPROMs.Information on how to combine safety CPUs with its non-safety environment can be found inthe compatibility information Ä Appendix B.1 “Compatibility with AC500 V2 non-safety CPU”on page 382 Ä Appendix C.1 “Compatibility with AC500 V3 non-safety CPUs” on page 400.
3.1.2 Functionality3.1.2.1 Overview
AC500 safety CPUs are always used with non-safety CPUs.
Elements of themodule
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/043ADR025091M0210, 14, en_US34
Programming of the safety CPU is done using AC500-S Programming Tool in a similar wayas programming of AC500 CPU, but in accordance with the safety programming guidelines.Programming is done by means of routing via the AC500 CPU using the serial interface orEthernet. The user program is composed of:● Compiled code of all POUs called in the program● Initialization code for variablesSM560-S-FD-1 / SM560-S-FD-4 contains all features of SM560-S safety CPU. Additional fea-tures available on SM560-S-FD-1 / SM560-S-FD-4 safety CPUs are:● PROFIsafe F-Device functionality
– SM560-S-FD-1 is able to communicate with 1 PROFIsafe F-Host (controller)– SM560-S-FD-4 is able to communicate with up to 4 PROFIsafe F-Hosts (controllers)
● Bigger safety program size: 1.3 MB (SM560-S safety CPU has 1.0 MB)Each safety CPU variant has its own product identifier in the production data. Thus, a downloadof a boot project to a wrong product variant is detected by its firmware.
3.1.2.2 Floating-point operationsSafety CPUs can perform floating-point operations.
DANGER!Divisions by zero are not allowed and shall be caught latest during the formalsafety CPU code review according to safety programming guidelines Ä Chapter4.4 “Safety programming guidelines” on page 182.If case of exceptions during floating-point operations (e.g., due to usage ofinvalid arguments), the safety CPU goes to a SAFE STOP state or delivers areturn value "Infinity".Note that the range of valid arguments in safety CPU for floating-point functionsis:
– SIN and COS: [-9 x 1015 ... 9 x 1015]– TAN: [-4.5 x 1015 ... 4.5 x 1015]– ATAN: [-3.402823 x 1038 ... 3.402823 x 1038]– LOG, LN and SQRT: up to 3.402823 x 1038
The arguments outside the above-presented range will lead to a SAFE STOPstate of the safety CPU.
DANGER!The end-result of floating-point operation has to be checked for its validitybefore it is further used in the safety program.
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 35
DANGER!It is important to take into account the following while programming with floating-point arithmetic Ä [5]:– Round or truncate results after each floating-point operation according to
defined ULPs (MOD, EXPT, EXP, ABS, TAN, ASIN, ACOS, ATAN, SIN,COS, LOG and LN operations are executed with a maximum expectederror of 2 ULP; ADD, SUB, MUL, DIV and SQRT are executed with amaximum error of 1 ULP in the safety CPU). http://en.wikipedia.org/wiki/Unit_in_the_last_place for more details on ULPs.
– If you compute a value which is the result of a sequence of floating-pointoperations, the error can accumulate and greatly affect the computationitself.
– Whenever subtracting two numbers with the same signs or adding twonumbers with different signs, the accuracy of the result may be less than theprecision available in the floating-point format.
– The order of evaluation can affect the accuracy of the result.– When performing a chain of calculations involving addition, subtraction, mul-
tiplication and division, try to perform the multiplication and division opera-tions first.
– When multiplying and dividing sets of numbers, try to arrange the multiplica-tions so that they multiply large and small numbers together; likewise, try todivide numbers that have the same relative magnitudes.
– When comparing two floating-point numbers, always compare one value tosee if it is in the range given by the second value plus or minus some smallerror value.
3.1.2.3 System functionsThe safety CPU is not equipped with a battery. Therefore, all operands are initialized oncethe control voltage is switched on. Data exchange between safety and non-safety CPUs ispossible Ä Appendix B.5 “Data exchange between safety CPU and AC500 V2 non-safety CPU”on page 393 Ä Appendix C.5 “Data exchange between safety CPU and AC500 V3 non-safetyCPU” on page 409.
DANGER!It is not recommended to transfer data values from non-safety CPU to safetyCPU. But if doing so, end-users have to define additional process-specificvalidation procedures in the safety program to check the correctness of thetransferred non-safety data, if they would like to use those non-safety values forsafety functions.It is of no concern to transfer data values from safety CPU to non-safety CPU,e.g., for diagnosis and later visualization on operator panels.
Self-tests and diagnostic functions (both start-up and runtime), like CPU and RAM tests, pro-gram flow control, etc. are implemented in the safety CPU according to IEC 61508 require-ments.Selected data can be stored fail-safe and permanently in the flash memory of the safetyCPU using special library POUs SF_FLASH_READ, SF_FLASH_WRITE and SF_FLASH_DELÄ Chapter 4.6.7.10 “SF_FLASH_READ” on page 323 Ä Chapter 4.6.7.11 “SF_FLASH_WRITE”on page 326 Ä Chapter 4.6.7.12 “SF_FLASH_DEL” on page 328.
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/043ADR025091M0210, 14, en_US36
The safety CPU is a single threaded and single task CPU. Only one free-wheeling programtask is available for safety program execution. The free-wheeling task is the task which will beprocessed as soon as the safety program is started and at the end of one run will be automati-cally restarted in a continuous loop. For this task, the cycle time is not adjustable, but users cansupervise the cycle time of the safety CPU using a special library POU SF_WDOG_TIME_SETÄ Chapter 4.6.7.3 “SF_WDOG_TIME_SET” on page 318.The watchdog time of the safety CPU set using SF_WDOG_TIME_SET is the maximum permis-sible time allowed for its cycle time run. If the time set in SF_WDOG_TIME_SET is exceededduring the program execution on the safety CPU, then it goes to a SAFE STOP state (no validtelegrams are generated by the device) with I-ERR LED = ON.
NOTICE!POU SF_WDOG_TIME_SET must be called in the user program only one timeto set some watchdog value greater than 0. If SF_WDOG_TIME_SET is notcalled in the user application program, the default watchdog time = 0 is used,which leads the safety CPU directly to a SAFE STOP state with I-ERR LED =ON.To avoid occasional stops of the safety CPU due to cycle time overrun detectedby the cycle time monitoring, one shall observe the safety CPU load in the testrun of the user application program to make sure that the selected watchdogmonitoring value was correctly set.
NOTICE!The watchdog value set in POU SF_WDOG_TIME_SET is used for the safetyCPU cycle time monitoring only in RUN (safety) mode. In DEBUG RUN (non-safety) and DEBUG STOP (non-safety) modes of the safety CPU, the watchdogvalue is ignored.
Using a special PLC browser command "setpwd", it is possible to set a password for the safetyCPU to prevent an unauthorized access to its data (application project, etc.). Without knowledgeof this password, no connection to the safety PLC can be established.
3.1.2.4 Power supply supervisionThe internal power supply (+3.3 V) of the safety CPU is supervised for under- and overvoltage.In case of under- or overvoltage is detected, the safety CPU goes to a SAFE STOP state(no valid telegrams are generated by the device) with I-ERR LED = ON. To control restart ofthe safety CPU after power supply is back within an allowed voltage range, one can set themaximum allowed number of the safety CPU restarts using POU SF_MAX_POWER_DIP_SETÄ Chapter 4.6.7.2 “SF_MAX_POWER_DIP_SET” on page 317.
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 37
3.1.2.5 Address / configuration switch / F_Dest_Add settingsThe setting of two rotary switches for PROFIsafe address and/or system configuration (forexample, these switches can be used for safety program flow control) can be read outin the safety application program using POU SF_SM5XX_OWN_ADR Ä Chapter 4.6.7.8“SF_SM5XX_OWN_ADR” on page 322. Switch address values 0xFF, 0xFE, 0xFD and 0xFCare used for internal safety CPU system functions described below:● Switch address value 0xFF during the start of the safety CPU prevents loading the boot
project to the safety CPU on start-up (the boot project still remains in the flash memory ofthe safety CPU). As a result, the user is able to log-in to the safety CPU and load a newcorrect boot project. This can be needed if the boot project is corrupt and could lead to aSAFE STOP state of the safety CPU. The safety CPU goes to DEBUG STOP (non-safety)state after start-up and successful 0xFF command execution.
● Switch address value 0xFE during the start of the safety CPU allows deleting the bootproject from its flash memory. The boot project is finally deleted after a power cycle of thesafety CPU. This can be needed if the boot project is corrupt and could lead to a SAFESTOP state of the safety CPU. The safety CPU goes to SAFE STOP state after start-up and0xFE command execution.
● Switch address value 0xFD during the start of the safety CPU allows deleting user data fromits flash memory. The user data are finally deleted after a power cycle of the safety CPU.This can be needed if user data are corrupt and could lead to a SAFE STOP state of thesafety CPU. The safety CPU goes to SAFE STOP state after start-up and 0xFD commandexecution.
● Switch address value 0xFC during the start of the safety CPU allows deleting all safety CPUdata, which includes, in addition to boot project and user data, also safety CPU passwordand defined power dip value from the flash memory. This means that the safety CPU will bebrought to its original state. The data is finally deleted after a power cycle of the safety CPU.The safety CPU goes to SAFE STOP state after start-up and 0xFC command execution.
The switch address value range 0xF0 ... 0xFB is reserved for future internal system functions.
NOTICE!Usage of switch address values from the system range 0xF0 ... 0xFF can leadto the loss of important user information in the flash memory of the safetyCPU, e.g., boot project, user data, password or power dip value can be lost.Therefore, it is important that users pay a special attention during the change ofswitch address position on the safety CPU.
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/043ADR025091M0210, 14, en_US38
DANGER!Despite the fact that SF_SM5XX_OWN_ADR function is a safety POU, thehardware switch address value is a non-safety value and needs additionalmeasures to satisfy functional safety requirements.PROFIsafe F_Dest_Add addresses for F-Devices on SM560-S-FD-1 /SM560-S-FD-4 safety CPUs are defined using the rotary address switch. Itmeans that the rotary address switch on safety CPUs can have more than onefunction behind. This shall be carefully considered during the safety applicationdesign, for example, if system functions (0xFF, 0xFE, 0xFD and 0xFC values onthe rotary address switch) have to be used on SM560-S-FD-1 / SM560-S-FD-4safety CPUs. In the latter case, the previously defined rotary address switchvalue for F_Dest_Add addresses shall be properly documented and set back toits original documented value after system functions on the safety CPU weresuccessfully performed.Usage of the rotary address switch for F_Dest_Add setting allows using thesame safety CPU boot project for different machines provided that eachmachine will have a unique pre-set F_Dest_Add address defined with the rotaryaddress switch and properly engineered in Automation Builder project.The allowed range of the rotary address switch value for F_Dest_Add settingis 1 to 239 (0 would indicate no usage of F-Devices on SM560-S-FD-1 /SM560-S-FD-4). One rotary address switch represents F_Dest_Add for all pos-sible F-Device instances (maximum 32 F-Device instances each with 12 bytesof safety data) on SM560-S-FD-1 / SM560-S-FD-4 safety CPUs.The following rule applies for F_Dest_Add assignment to F-Devices:– F_Dest_Add for F-Device = Rotary address switch value * 100 + F-Device
instance number (0..31, which is the consecutive number as F-Devices areinstantiated in Automation Builder module/device tree).
– To properly configure F-Device on SM560-S-FD-1 and SM560-S-FD-4safety CPUs, one has to provide the correct configuration of F_Dest_Addusing the rotary address switch value and F- Parameter configuration pro-vided from F-Host and its controller.
A complex system containing multiple AC500-S sub-systems connected together via PROFIsafeneeds some additional consideration on how to allocate F_Dest_Add and F_Source_Addaddresses because messages from different F-Hosts can overlap in the "Black Channel",for example in non-safety CPU. The potential overlapping may increase the probability ofdangerous error in the safety configuration and communication. The typical PFH value forPROFIsafe communication is 3.0E-10.
DANGER!For each AC500-S sub-system, which PROFIsafe communication can overlapin the "Black Channel" with the PROFIsafe communication from another F-Host,a pair of F_Dest_Add and F_Source_Add (so-called codename in PROFIsafeterminology Ä [2]) have to be unique. If only F_Dest_Add is checked bythe F-Device (e.g., using hardware address settings on it), then not onlycodenames but also F_Dest_Add shall be unique. In case of SM560-S-FD-1and SM560-S-FD-4, due to the fact that PROFIsafe communication from dif-ferent F-Hosts (PROFIsafe telegrams from own F-Host on SM560-S-FD-1 orSM560-S-FD-4 and PROFIsafe telegrams from external F-Hosts) will overlap onnon-safety CPU, additional measures to unique codenames shall be applied:– Unique F_Dest_Add for all F-Devices belonging to external F-Host(s) and
own F-Host on SM560-S-FD-1 or SM560-S-FD-4 safety CPUs.
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 39
NOTICE!FSCP 3/1 address type 1 is used in SM560-S-FD-1 and SM560-S-FD-4:Only F_Dest_Add is used for PROFIsafe F-Device identification inSM560-S-FD-1 and SM560-S-FD-4.
The allowed range for F_Dest_Add addresses is described in Ä Chapter 4.3.5 “Instantiationand configuration of safety modules / definition of variable names” on page 140.
S<x> = F_Source_Add x D<y> = F_Dest_Add y S<x>, D<y> = CODENAME
F-Host driver S<1>,D<102>
F-Host driver S<1>,D<103>
F-Host driver S<12>,D<104>
SM560-S
F-HostF-Host driver S<5>,D<106>
F-Host driver S<5>,D<107>
F-Host driver S<5>,D<8>
SM560-S
F-Host
F-Host driver S<9>,D<10>
F-Host driver S<9>,D<11>
SM560-S-FD-4
F-Host
F-Device driver S<1>,D<102>
F-Device driver S<1>,D<103>
F-Device driver S<5>,D<106>
F-Device
F-Host driver S<9>,D<10>
F-Host driver S<9>,D<11>
SM560-S-FD-4
F-Host
F-Device
DI581-S
F-Device
DI581-S
F-Device driver S<9>,D<10>
F-Device
DX581-S
F-Device driver S<9>,D<11>
F-Device
DI581-S
F-Device driver S<9>,D<10>
F-Device
DX581-S
F-Device driver S<9>,D<11>
F-Device
Codename space 1Codename space 2
Network Infrastructure 1
Network Infrastructure 2.2
Network Infrastructure 2.1
F-Device driver S<5>,D<8>
F-Device driver S<12>,D<104>
F-Device driver S<5>,D<107>
Fig. 6: Exemplary system with overlapping PROFIsafe networks and PROFIsafe address allo-cation and generic network infrastructure, which may include WLAN, switched network, directconnection, etc.
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/043ADR025091M0210, 14, en_US40
DANGER!As a summary, the following rules shall be applied using organizationalprocedures for safe CPU to CPU communication using SM560-S-FD-1 andSM560-S-FD-4 CPUs. (This has to be checked manually and is a part ofÄ Chapter 6.3 “Checklist for configuration and wiring” on page 346.):– In the same codename space, F_Dest_Add shall be unique (Fig. 6 on
page 40).– In the same codename space, F_Source_Add shall not be re-used in other
F-Hosts. Inside the same F-Host, a re-use is allowed for several F-Hostdrivers.
– In the same codename space, F_Dest_Add shall not be used asF_Source_Add and vice versa.
To ensure that the right safety configuration and safety application is loaded to the right system,customers can use SM560-S-FD-1 / SM560-S-FD-4 address switch to verify that the config-uration fits to the selected system. The address switch on SM560-S-FD-1 / SM560-S-FD-4implicitly protects the given safety CPU because it is used for the definition of F_Dest_Add forPROFIsafe F-Device instances. If a wrong boot project is loaded on the given SM560-S-FD-1 /SM560-S-FD-4, then it will not match to F- Parameters transferred from the F-Host and will endin the configuration error of the corresponding PROFIsafe instance.
3.1.2.6 Firmware, boot code and boot project updateThe updates of the safety CPU for boot project, firmware and boot code are performed vianon-safety CPU, either via Automation Builder or via SD card.
DANGER!Each firmware and boot code update has to be followed by a complete func-tional safety validation procedure for a given safety process control application.
3.1.2.6.1 Update via Automation BuilderWe recommend to update firmware, boot code and boot project via Automation Builder. Thisfeature is described in Ä [3].
3.1.2.6.2 Update via SD card
DANGER!If you use an SD card for firmware, boot code and boot project update vianon-safety CPU, it is important that special organizational procedures (e.g.,limited access to the cabinet where safety CPU is located) on the end-customersite are defined to avoid unintended software update on the safety CPU.It is possible to read the current firmware version of the safety CPU using POUSF_RTS_INFO Ä Chapter 4.6.7.9 “SF_RTS_INFO” on page 323. Thus, youcan limit safety program execution only to the pre-defined firmware versions.
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 41
NOTICE!You can not update both boot project and firmware / boot code at the same timefor the safety CPU. Perform these updates in two steps. It means that you mayneed two SD cards. One SD card with firmware / boot code update and theother SD card with boot project update.
The procedure for SD card creation with firmware / boot code for a safety CPU is handled in thesame way as described for communciation modules in Ä [3].
The safety CPU boot project can be updated only if no boot project is present on the safetyCPU. This is to avoid unintentional boot project update on the safety CPU. Before updatinga new boot project, delete the existing boot project on the safety CPU, e.g., via settingthe address switch to value 0xFE/0xFC Ä Chapter 3.1.2.5 “Address / configuration switch /F_Dest_Add settings ” on page 38, via PLC browser command delappl in AC500-S Program-ming Tool or “Online è Reset Origin” in Automation Builder.
3.1.3 Mounting, dimensions and electrical connectionThe safety CPU is mounted on the left side of the non-safety CPU on the same terminal base.The electrical connection is established automatically when mounting the safety CPU. Basicinformation on system assembly is shown here. Detailed information can be found in Ä [3].Installation and maintenance have to be performed according to the technical rules, codes andrelevant standards, e.g. EN 60204 part 1, by skilled electricians only.
DANGER!Hot plug and hot swap of energized modules is not permitted. All power sources(supply and process voltages) must be switched off while working with safetymodules.
PM581CM572
PWRRDYRUNSTAERR
DIAG
PWR
RUN
I-ERR
E-ERR
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
SM560-S
Fig. 7: Assembly instructions
Insert the module below, and then click-in above.
Firmware andboot codeupdate
Boot projectupdate
Assembly of thesafety CPU
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Mounting, dimensions and electrical connection
2022/02/043ADR025091M0210, 14, en_US42
Fig. 8: Disassembly instructions
Press above and below, then swing out the module and remove it.
PM581CM572
PWRRDYRUNSTAERR
DIAG
PWR
RUN
I-ERR
E-ERR
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
SM560-S
28(1.10)
28(1.10)
2828 67.5 (2.66)(1.10)(1.10)
95.5 (3.76)135 mm(5.31)”TB511
123.5 (4.86)TB521
179.5 (7.07)TB541
59 (2
.32)
70.5
(2.7
8)
135
(5.3
1)
28
13 (0.51)62 (2.44)
75 (2.95)
59 (2
.32)
135
(5.3
1)
76 (2
.99)
77 (3.03)
84.5 (3.33)
15 mm7.5 mm
(1.10)
135 mm(5.31)”
DIN railDIN rail
Fig. 9: Dimensions of the safety CPU
3.1.4 Diagnosis and LED status displaySafety CPU status is shown by its LEDs. RUN LED is bicolored. The following figure and tableshow positions and functions of 5 LEDs.
Disassembly ofthe safety CPU
Dimensions ofthe safety CPU
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Diagnosis and LED status display
2022/02/04 3ADR025091M0210, 14, en_US 43
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
Fig. 10: LEDs for status display
Table 3: Status display and its meaningLED Description Color Status MeaningPWR Module power
supplyGreen ON +3.3V internal power supply is available
BLINKING Not applicable
OFF +3.3V internal power supply is not available
DIAG Diagnostics Yellow ON Configuration error
BLINKING Not applicable
OFF No configuration error
RUN Run mode indi-cator
Green ON Safety CPU is in RUN (safety) mode. The applica-tion program is executed.
BLINKING Not applicable
OFF Safety CPU is in DEBUG STOP (non-safety)mode. The application program is not executed.
Yellow ON Safety CPU is in DEBUG RUN (non-safety) mode.The application program is executed.
BLINKING Firmware, boot project or boot code update indica-tion
OFF Safety CPU is in DEBUG STOP (non-safety)mode. The application program is not executed.
I-ERR Internal deviceerror indicator
Red ON Internal device error leading to a SAFE STOP state(no valid PROFIsafe telegrams are generated bythe device).
BLINKING Firmware or boot code update
OFF No internal device error leading to a safe state
E-ERR External error indi-cator
Red ON This LED can be set only from the userapplication program using a special libraryPOU SF_E_ERR_LED_SET Ä Chapter 4.6.7.1“SF_E_ERR_LED_SET” on page 317. One of pos-sible use cases is the visualization of importantexternal device errors.
BLINKING This LED can be set only from the userapplication program using a special libraryPOU SF_E_ERR_LED_SET Ä Chapter 4.6.7.1“SF_E_ERR_LED_SET” on page 317. One of pos-sible use cases is the visualization of light externaldevice errors.
OFF No external errors were identified.
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Diagnosis and LED status display
2022/02/043ADR025091M0210, 14, en_US44
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
1 2 43
Fig. 11: LED states of the safety CPU during start-up
1 State 1 - Hardware reset2 State 2 - Initialization3 State 3 - LED test4 State 4 - End of start-up
Safety CPU error messages are aggregated together with other communication module errormessages in non-safety CPUs. All error messages can be observed on non-safety CPU. Inaddition, error messages of the safety CPU can be observed on the safety CPU itself.With AC500 V2 non-safety CPU: Ä Appendix B.2.1 “Error messages for safety CPUs”on page 384
With AC500 V3 non-safety CPU: Ä Appendix C.2.1 “Error messages for safety CPUs”on page 401
The complete list of AC500 error messages can be found in Ä [3].
NOTICE!The error messages of not only the safety CPU but also of safety I/O modulesare visualized on non-safety CPU display.No error message overflow on the safety CPU is possible. The maximumnumber of entries in the safety CPU diagnosis system is 100. If all 100 entries inthe diagnosis system are occupied, the newest entry overwrites the oldest one.After a power cycle of the safety CPU, error messages are deleted from thesafety CPU diagnosis system.
Error messages
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Diagnosis and LED status display
2022/02/04 3ADR025091M0210, 14, en_US 45
3.1.5 Safety CPU module states
Fig. 12: Safety CPU states Ä Chapter 3.1.5.1 “Description of safety CPU module states”on page 46 and transitions Ä Chapter 3.1.5.2 “Transitions between safety CPU states ”on page 48
Power cycle or “reboot” PLC browser/shell command on non-safety CPUErrors of severity level 1 or 2Further transitions
3.1.5.1 Description of safety CPU module statesThis is a temporary system state which is left after internal safety diagnostic tests and start-upprocedures are executed. Refer to Fig. 11 on page 45 to see the LED states.
In this state, the safety application is normally executed, provided that the boot project isloaded. No error of severity levels 1 or 2 is available.In AC500-S Programming Tool, all online services from “Online” menu are available for users,but only three of them can be executed without leaving RUN state: “Login”, “Logout” and“Check boot project in PLC”. All other services (e.g., set a breakpoint) switch the safety CPU tonon-safety DEBUG states (DEBUG RUN or DEBUG STOP).
INIT
RUN
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Safety CPU module states
2022/02/043ADR025091M0210, 14, en_US46
The safety CPU goes to SAFE STOP state if an error of severity level 1 or 2 is identified. AllPROFIsafe output telegrams are nulled (no valid PROFIsafe telegrams are generated in thisstate). In AC500-S Programming Tool, no online services from “Online” menu are available forusers.This state can be left only after a power cycle or using “reboot” PLC browser/shell command onnon-safety CPU.
DEBUG RUN (non-safety) state can be reached if online services from “Online” menu are used(except “Login”, “Logout” and “Check boot project in PLC”) from safe RUN state. The user canset a breakpoint in the safety program, perform “Single cycle” program execution, force andwrite variable values and execute other debugging functions available in AC500-S ProgrammingTool.If online service “Stop” is called or the breakpoint is reached in the safety application program,the safety CPU switches to DEBUG STOP (non-safety) state.Valid PROFIsafe safety telegrams are generated in DEBUG RUN state. DEBUG RUN state isnon-safe, thus, the responsibility for safe process operation lies entirely with the organizationand person responsible for the activation of DEBUG RUN (non-safety) mode.One can go back to a safe RUN state only after a power cycle or using “reboot” PLC browser/shell command on non-safety CPU.
DANGER!The safety functionality and, as a result, safe process operation, is no moreguaranteed by the safety CPU in the DEBUG RUN (non-safety) or DEBUGSTOP (non-safety) mode.In case of DEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode acti-vation on the safety CPU, the responsibility for safe process operation liesentirely with the organization and person responsible for the activation ofDEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode.With the help of POU SF_SAFETY_MODE one can retrieve the informa-tion if the safety CPU is in SAFETY or DEBUG (non-safety) mode and, ifrequired, stop or limit user application program execution Ä Chapter 4.6.7.7“SF_SAFETY_MODE” on page 322.
Without error of severity level 3 or 4 With error of severity level 3 or 4
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
SAFE STOP
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
DEBUG RUN
SM560-S
DIAG
PWR
RUN
I-ERR
E-ERR
DEBUG STOP
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Safety CPU module states
2022/02/04 3ADR025091M0210, 14, en_US 47
In this non-safe state, a user is able to intervene in safety program execution by setting break-points, etc., similar to DEBUG RUN state. The safety application program is not executed inDEBUG STOP (non-safety) state. The PROFIsafe F-Host and F-Devices (SM560-S-FD-1 andSM560-S-FD-4) of the safety CPU send PROFIsafe telegrams with fail-safe "0" values and setFV_activated for all safety I/O modules and F-Devices.
DANGER!Since PROFIsafe F-Host continues to run in DEBUG STOP (non-safety) state,it is possible to reintegrate passivated safety I/O modules and bring them in thesafety RUN state. One can force variables for safety I/O modules, for example,to activate safety outputs.In case of or DEBUG RUN (non-safety) or DEBUG STOP (non-safety) modeactivation on safety CPU, the responsibility for safe process operation liesentirely with the organization and person responsible for the activation ofDEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode.
If online service “RUN” is called in the safety application program, the safety CPU switches toDEBUG RUN state.All online services are available in this state.In case of online commands “Step in”, “Step over”, “Single cycle” and when the breakpoint isreached, there is a switch between DEBUG RUN and DEBUG STOP states (transitions 13 and14 in Fig. 12 on page 46).One can go back to a safe RUN state only after power cycle or using “reboot” PLC browser/shellcommand on non-safety CPU.
3.1.5.2 Transitions between safety CPU states
Transition(Fig. 12 onpage 46)
From To Description
(1) INIT RUN ● Initialization was successful.● Boot project is available and there is no configu-
ration error or any other error of severity level 1or 2.
(2) RUN INIT Power cycle or “reboot” PLC browser/shell commandfrom non-safety CPU.
(3) INIT DEBUG STOP ● Initialization was successful.● No boot project is available or error of severity
level 3.● Switch address 0xFF was set on the safety CPU.
(4) DEBUG STOP INIT Power cycle or “reboot” PLC browser/shell commandfrom non-safety CPU.
(5) INIT SAFE STOP ● An error of severity level 1 or 2 was identifiedduring the initialization.
● Unsuccessful firmware or boot code update.
(6) SAFE STOP INIT Power cycle or “reboot” PLC browser/shell commandfrom non-safety CPU.
(7) RUN DEBUG RUN In AC500-S Programming Tool, online service“Toggle breakpoint”, “Write values”, “Force values” or“Single cycle” was used.
(8) DEBUG STOP SAFE STOP An error of severity level 1 or 2 was identified.
(9) RUN SAFE STOP An error of severity level 1 or 2 was identified.
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Safety CPU module states
2022/02/043ADR025091M0210, 14, en_US48
Transition(Fig. 12 onpage 46)
From To Description
(10) RUN DEBUG STOP ● In AC500-S Programming Tool, online service“Stop”, “Sourcecode download” or “Reset” (var-ious) was used.
● [Run] button on non-safety CPU was pressed(non-safety CPU was in "Run" state) .
● Online service “Stop” or “Reset” (various) onnon-safety CPU was used.
● New safety boot project is loaded.
(11) DEBUG RUN INIT Power cycle or “reboot” PLC browser/shell commandfrom non-safety CPU.
(12) DEBUG RUN SAFE STOP An error of severity level 1 or 2 was identified.
(13) DEBUG RUN DEBUG STOP ● In AC500-S Programming Tool, online service“Stop” or “Reset” (various) was used.
● [Run] button on non-safety CPU was pressed(non-safety CPU was in "Run" state).
● Online service “Stop” or “Reset” (various) onnon-safety CPU was used.
● Breakpoint was reached during debugging.● At the end of the safety CPU cycle in "Single
cycle" debugging mode.● New safety boot project is loaded.
(14) DEBUG STOP DEBUG RUN ● In AC500-S Programming Tool, online service“Step over”, “Step in” or “Run” was used.
● Online service “Run” on non-safety CPU wasused.
● [Run] button on non-safety CPU was pressed(non-safety CPU was in "Stop" state).
(15) INIT INIT Power cycle or “reboot” PLC browser/shell commandfrom non-safety CPU.
(16) INIT SAFE STOP Switch address 0xFE, 0xFD or 0xFC was set on thesafety CPU.
3.1.6 Safety and non-safety CPU interactionThe safety CPU and non-safety CPU have their own firmware, boot project and application pro-gram, which are executed separately. The only control element on non-safety CPU hardware,which allows changing the status of both non-safety and safety CPU is [Run] button on non-safety CPU. [Run] button on non-safety CPU can simultaneously stop and start both non-safetyand safety CPU. This behavior of [Run] button depends on non-safety CPU settings Ä [3].Stopped safety CPU means that application program execution has stopped only. PROFIsafeF-Host and F-Device stacks Ä [2] continue to run in fail-safe mode. All safety I/O modules arepassivated and substitute values "0" are used for safety I/Os and F-Devices. PROFIsafe F-Hostand F-Device stack execution can be stopped by entering SAFE STOP state only. In this case,PROFIsafe telegrams are not generated and I-ERR LED is on.
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Safety and non-safety CPU interaction
2022/02/04 3ADR025091M0210, 14, en_US 49
DANGER!It is not possible to safely start safety CPU using [Run] button on non-safetyCPU. The safety CPU always goes to non-safe DEBUG mode (DEBUG RUNor DEBUG STOP) as soon as [Run] button is pressed on non-safety CPUÄ Chapter 3.1.5.1 “Description of safety CPU module states” on page 46. Tobring the safety CPU back into the safe RUN mode, perform a power cyle of thesafety CPU or use “reboot” PLC browser/shell command on non-safety CPU.The commands “Run” and “Stop” in engineering suite have the same effect onthe safety CPU and non-safety CPU as [Run] button on non-safety CPU.
There are some parameters of non-safety CPU configuration which influence the overall systembehavior of safety and non-safety CPU Ä Appendix B.3 “AC500 V2 non-safety CPU parametersconfiguration” on page 391 Ä Appendix C.3 “AC500 V3 non-safety CPU parameters configura-tion” on page 406.
Fig. 13: Influence of non-safety CPU parameter settings on safety telegram flow
1 Safety CPU2 Non-safety CPU3 Safety I/O module4 Valid safety telegram5 Telegram with "0" values or valid safety telegram6 Non-safety CPU settings7 Safety CPU safety telegrams with output values
3.1.7 ParameterizationThe arrangement of the parameter data is performed by your system configuration softwareAutomation Builder.
No. Name Values Default1 Min update time
(with AC500 V2 non-safety CPU)Update cycle time(with AC500 V3 non-safety CPU)
1-20000 ms "10 ms"
2 Enable debug "On", "Off" "Off"
3 PROFIsafe startup timeout 0-65535 ms "0 ms"
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Parameterization
2022/02/043ADR025091M0210, 14, en_US50
Depending on the used non-safety AC500 CPU the parameter for cycle time is called in adifferent way. The meaning of both parameters is identical.Note, that this parameter influences the safety function response time. The smaller the valueis, the faster the safety function response time will be Ä Chapter 5.1 “Overview” on page 334.However, at the same time, the load on non-safety CPU increases with smaller values of “Minupdate time” / “Update cycle time”.
DANGER!Big values (e.g., > 10 ms) of “Min update time” / “Update cycle time” parameterincrease the chance of not delivering input pulse signals with a length < “Minupdate time” / “Update cycle time” value to the safety CPU.
If this parameter is set to “Off”, then no new boot project can be loaded to the safety CPU anddebugging is not possible.If a new boot project has to be loaded to the safety CPU, then, in advance, a new boot projectwith “Enable debug” parameter set to “On” for the safety CPU shall be loaded to non-safetyCPU. After the reboot of non-safety CPU, a new boot project can be loaded to the safety CPU.Note that the following PLC browser commands are supported on the safety CPU only if“Enable debug” parameter is set to “On” Ä list of all PLC browser commands:● resetprg - reset safety CPU program● resetprgorg - reset safety CPU program original● setpwd - set safety CPU login password● delpwd - delete safety CPU login password● delappl - delete user program● deluserdat - delete user data segments
This safety CPU parameter defines the time how long the safety CPU shall wait during start-upfor the F-Device communication. In case of expired timeout, the safety CPU passivates theF-Device which enforces a reintegration by the user.Value = 0 disables any timeout supervision for all F-Devices (no timeout supervision).The value of this parameter is valid for all F-Devices.
3.1.8 Technical dataAdditional technical data is available in ABB PLC catalog at www.abb.com/plc.
NOTICE!Safety CPU -XC version is available for usage in extreme environmental condi-tions Ä Appendix A “System data for AC500-S-XC” on page 376.
Data Value UnitUser program memory of SM560-S 1 MB
User program memory of SM560-S-FD-1 andSM560-S-FD-4
1.3 MB
User data memory (thereof 120 kB saved) 1 MB
"Min updatetime" / "Updatecycle time"
"Enable debug"
"PROFIsafestartup timeout"
Memory
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Technical data
2022/02/04 3ADR025091M0210, 14, en_US 51
Data Value UnitCycle time - binary 0.05 µs/instruction
Cycle time - word 0.06 µs/instruction
Cycle time - floating-point 0.50 µs/instruction
Data Value UnitProcess and supply voltage (without ripple) 24 (-15 %, +20 %) V DC
Absolute limits (including ripple) 19.2 ... 30 V DC
Ripple < 5 %
Protection against reverse polarity 10 s
DANGER!Exceeding the permitted process or supply voltage range (< -35 V DC or >+35 V DC) could lead to unrecoverable damage of the system.
Data Value UnitDC supply interruptions < 10 ms
Time between 2 DC supply interruptions, PS2 > 1 s
Data Value UnitOperating temperature* 0 ... +60 °C
Storage temperature -40 ... +85 °C
Transport temperature -40 ... +85 °C
Humidity without condensation max. 95 %
Operating air pressure > 800 hPa
Storage air pressure > 660 hPa
Operating altitude < 2000 m above sealevel
Storage altitude < 3500 m above sealevel
* Extended temperature ranges (below 0 °C and above +60 °C) can be supported in specialversions of the safety CPU Ä Appendix A “System data for AC500-S-XC” on page 376.
The creepage distances and clearances meet the overvoltage category II, pollution degree 2.
For the supply of modules, power supply units according to PELV/SELV specifications must beused.
For information on electromagnetic compatibility refer to the latest TÜV SÜD Report Ä [1].
Performance
Voltages,according to EN61131-2
Allowed inter-ruptions ofpower supply,according to EN61131-2
Environmentalconditions
Creepage dis-tances andclearancesPower supplyunits
Electromagneticcompatibility
AC500-S safety modulesSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Technical data
2022/02/043ADR025091M0210, 14, en_US52
Data Value UnitMounting horizontal (or
vertical withderating (maximal
operating tempera-ture reduced to
+40 °C))
Degree of protection IP 20
Housing according to UL 94
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 3.5 mm
2 ... 15 Hz
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 1 g *
15 ... 150 Hz
Shock test (all three axes), 11 ms half-sinusoidal 15 g
MTBF 168 years
* Higher values on request
Start-up and runtime tests: Program flow control, RAM, CPU, etc.
Data Value UnitW x H x D 28 x 135 x 75 mm
Weight ~ 100 g
CE, cUL (further certifications at www.abb.com/plc)
3.1.9 Ordering dataType Description Part no.SM560-S Safety module - CPU, safety
related module up to SIL 31SAP 280 000 R0001
SM560-S-XC Safety module - CPU, safetyrelated module up to SIL 3,extreme conditions
1SAP 380 000 R0001
SM560-S-FD-1 Safety module - CPU, safetyrelated module up to SIL 3with F-Device functionality for 1PROFIsafe network
1SAP 286 000 R0001
SM560-S-FD-1-XC Safety module - CPU, safetyrelated module up to SIL 3with F-Device functionality for1 PROFIsafe network, extremeconditions
1SAP 386 000 R0001
Mechanicalproperties
Self-test anddiagnostic func-tionsDimensions,weight
Certifications
AC500-S safety modules
Safety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4 > Ordering data
2022/02/04 3ADR025091M0210, 14, en_US 53
Type Description Part no.SM560-S-FD-4 Safety module - CPU, safety
related module up to SIL 3 withF-Device functionality for up to 4PROFIsafe networks
1SAP 286 100 R0001
SM560-S-FD-4-XC Safety module - CPU, safetyrelated module up to SIL 3 withF-Device functionality for up to4 PROFIsafe networks, extremeconditions
1SAP 386 100 R0001
3.2 Generic safety I/O module behavior3.2.1 Overview
All safety I/O modules (AI581-S, DI581-S and DX581-S) can be used in a centralized or remoteconfiguration with PROFINET/PROFIsafe (Fig. 3 on page 22). PROFINET devices CI501-PNIO,CI502-PNIO, CI504-PNIO and CI506-PNIO can be used to attach safety I/O modules in remoteconfigurations. Safety I/O modules can be freely mixed with any non-safety I/Os from AC500and AC500-eCo product families.
NOTICE!Safety I/O module firmware update can be currently performed only by thequalified personnel in the ABB factory.
3.2.2 Safety I/O module statesSafety I/O module system states can be described using the following two state charts.
AC500-S safety modulesGeneric safety I/O module behavior > Safety I/O module states
2022/02/043ADR025091M0210, 14, en_US54
Fig. 14: Overview of transitions related to power cycles and errors of severity level 1 in safetyI/O modules
Power cycleError of severity level 1
Fig. 15: Overview of transitions in safety I/O modules (except power cycles and errors ofseverity level 1)
Transitions
3.2.2.1 Description of safety I/O module statesThe hardware is initialized and internal start-up tests of the safety I/O module are executed.Refer to Fig. 16 on page 64 to see the LED states. After a successful parameterization, thePROFIsafe communication is expected to be initiated by the PROFIsafe F-Host.
INIT
AC500-S safety modules
Generic safety I/O module behavior > Safety I/O module states
2022/02/04 3ADR025091M0210, 14, en_US 55
The safety I/O module will remain in this state:● as long as the undervoltage is detected.● if the parameterization failed or pending.● if the PROFIsafe communication is pending.Users have to check that a dedicated qualifier output bit (PROFIsafe diagnostic) for at least oneof the channels in the given safety I/O module is set to "1" to verify that PROFIsafe F-Devicesare initialized.PROFIsafe status bits in the F-Host for safety I/O module:OA_Req_S = 0FV_activated_S = 1Device_Fault = 0Process data bits in the safety I/O module process image:PROFIsafe diagnostic bit = 0Channel process value = 0Reintegration request bit = 0
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
4
ADDRx01H
C
3
B
2
A
19
0 8F
7
E
6
D
5
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
PROFIsafe communication is up and running. The safety application is running without anydetected errors.PROFIsafe status bits in the F-Host for safety I/O module:OA_Req_S = 0FV_activated_S = 0Device_Fault = 0Process data bits in the safety I/O module process image:PROFIsafe diagnostic bit = 1Channel process value = Process valueReintegration request bit = 0
RUN (ok)
AC500-S safety modulesGeneric safety I/O module behavior > Safety I/O module states
2022/02/043ADR025091M0210, 14, en_US56
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
PROFIsafe communication is up and running. The safe application is running with detectedchannel errors.Channel error (e.g., no expected test pulses, discrepancy time, etc.) is identified in at least oneof channels. The fail-safe value ("0") is transferred to the PROFIsafe F-Host for the passivatedinput channel(s). The related PROFIsafe diagnostic bit(s) are also set to "0" to indicate theusage of fail-safe values.A passivated output channel has a state of "0" and the related PROFIsafe diagnostic bit(s) arealso set to "0" to indicate the usage of fail-safe values.As soon as the channel error is gone (e.g., wiring error was corrected; this is valid only for thoseerrors which are acknowledgeable), the reintegration request bit for the given channel switchesto "1", which indicates the safety application running on the safety CPU that a reintegrationof the channel is possible. Setting the acknowledge reintegration bit from "0" to "1" initiates areintegration of the given channel. A positive edge from "0" to "1" is required to acknowledgechannel reintegration.As soon as all channel errors are gone and acknowledged, the RUN (ok) state is reached.PROFIsafe status bits in the F-Host for safety I/O module:OA_Req_S = 0FV_activated_S = 0Device_Fault = 0Process data bits in the safety I/O module process image:PROFIsafe diagnostic bit = 0Channel process value = 0Reintegration request bit = 0 if an error is still present; 1 if the channel can be reintegrated.
RUN (channelpassivation andreintegration)
AC500-S safety modules
Generic safety I/O module behavior > Safety I/O module states
2022/02/04 3ADR025091M0210, 14, en_US 57
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
PROFIsafe communication is up and running. The safety application is running with a presentmodule error.The module and, as a result, all its channels are passivated. Possible reasons for modulepassivation are:● PROFIsafe communication failure (CRC error)● PROFIsafe watchdog timeout exceeded● Undervoltage/overvoltage detected (Device_Fault status bit = 1)The fail-safe value "0" is transferred to the safety PLC for all passivated input channels, if theconnection to the PROFIsafe F-Host is possible. The safety application continuously attemptsto establish a communication to the safety CPU, if the communication is broken. All passivatedoutput channels have a state of "0".A state transition to another RUN mode is only possible if the detected error is gone.PROFIsafe status bits in the F-Host for safety I/O module (if communication is possible!):OA_Req_S = 0FV_activated_S = 1Device_Fault = 1 (in case of undervoltage/overvoltage detected) and/or CE_CRC = 1 (in case ofcommunication error) and/or WD_timeout = 1 (in case of watchdog timeout)Process data bits in the safety I/O module process image:PROFIsafe diagnostic bit = 0Channel process value = 0Reintegration request bit = 0
RUN (modulepassivation):alternatingblinking ofERR1 and ERR2LEDs
AC500-S safety modulesGeneric safety I/O module behavior > Safety I/O module states
2022/02/043ADR025091M0210, 14, en_US58
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
PROFIsafe communication is up and running. The safety application is running without anydetected errors.The module and all its channels are passivated because the safety application on the safetyCPU requested a module passivation (activate_FV_C = 1 was set).The fail-safe value "0" is transferred to the safety CPU for all passivated input channels. Allpassivated output channels have a state of "0". The PROFIsafe diagnostic bit(s) for all channelshave the state of "0" to indicate that fail-safe values are transferred.PROFIsafe status bits in the F-Host for safety I/O module:FV_activated_S = 1Process data bits in the safety I/O module process image:PROFIsafe diagnostic bit = 0Channel process value = 0Reintegration request bit = 0
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
PROFIsafe communication is up and running. The safety application is running without anyerrors but waits for the acknowledgment of a module reintegration (module error is gone).
RUN (modulepassivation witha command):alternatingblinking ofERR1 & ERR2LEDs
RUN (useracknowledg-ment request):alternatingblinking ofERR1 & ERR2LEDs
AC500-S safety modules
Generic safety I/O module behavior > Safety I/O module states
2022/02/04 3ADR025091M0210, 14, en_US 59
The fail-safe value "0" is still transferred to the safety CPU for all passivated input channels. Allpassivated output channels have a state of "0". The PROFIsafe diagnostic bits for all channelshave the state of "0" to indicate that fail-safe values are transferred.The OA_Req_S bit is reported as "1".As soon as the safety application of the safety CPU sets OA_C (positive edge), the safety I/Omodule goes to RUN (ok) state if no further errors are detected. One has to send the positiveedge to the safety I/O module until OA_Req_S starts delivering "0".PROFIsafe status bits in the F-Host for safety I/O module:OA_Req_S = 1FV_activated_S = 1Device_Fault = 0Process data bits in the safety I/O module process image:PROFIsafe diagnostic bit = 0Channel process value = 0Reintegration request bit = 0
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
The safety application execution was stopped. No PROFIsafe communication is possible.This state is reached if an error of severity level 1 (e.g., CPU test, RAM test, etc. failed) tookplace.This state can be left only through a power cycle or “reboot” command from non-safety CPU orcommunication interface module.PROFIsafe status bits in the F-Host for safety I/O module:OA_Req_S = 0FV_activated_S = 1Device_Fault = 0Process data bits in the safety I/O module process image:PROFIsafe diagnostic bit = 0Channel process value = 0Reintegration request bit = 0
SAFE STOP
AC500-S safety modulesGeneric safety I/O module behavior > Safety I/O module states
2022/02/043ADR025091M0210, 14, en_US60
3.2.2.2 Transitions between safety I/O module states
Transition(Fig. 14 onpage 55, Fig. 15on page 55)
From To Description
(1) INIT RUN (ok) Safety I/O module comes to this state directly afterINIT during a normal start-up
(2) RUN (ok) INIT Power cycle
(3) INIT RUN (module pas-sivation)
PROFIsafe watchdog, PROFIsafe communicationerror or undervoltage/overvoltage was detecteddirectly after INIT.The safety I/O module can reach this state also aftera power cycle of the safety I/O module if safety CPUwith PROFIsafe F-Host continues running and bringssafety I/O module to a fail-safe RUN (module passi-vation) state after a power cycle.
(4) RUN (module pas-sivation)
INIT Power cycle
(5) INIT SAFE STOP Error(s) of severity level 1 (CPU test, RAM test, etc.failed) took place
(6) SAFE STOP INIT Power cycle
(7) RUN (ok) RUN (channelpassivation andreintegration)
Channel error was identified by the safety I/Omodule. The tests (whenever it is possible) are con-tinued for the given channel to be able to see if theerror is gone (e.g., wiring error was corrected). Assoon as the error is gone, the module sets "Reinte-gration request" bit = "1" for the given channel.
(8) RUN (channelpassivation andreintegration)
RUN (ok) ● The channel error is gone.● "Reintegration request" bit = 1 is set for the given
channel by the safety I/O module.● "Acknowledge reintegration" bit (positive edge) is
set by PROFIsafe F-Host for the given channel.
(9) RUN (ok) SAFE STOP Error(s) of severity level 1 (CPU test, RAM test, etc.failed) took place
(10) RUN (ok) RUN (module pas-sivation)
PROFIsafe watchdog, PROFIsafe communicationerror or undervoltage/overvoltage was detected.
(11) RUN (ok) RUN (module pas-sivation with acommand)
"activate_FV_C = 1" command was sent from thesafety CPU
(12) RUN (channelpassivation andreintegration)
SAFE STOP Error(s) of severity level 1 (CPU test, RAM test, etc.failed) took place
(13) RUN (module pas-sivation)
SAFE STOP Error(s) of severity level 1 (CPU test, RAM test, etc.failed) took place
(14) RUN (channelpassivation andreintegration)
INIT Power cycle
(15) INIT INIT Power cycle
(16) RUN (useracknowledgmentrequest)
SAFE STOP Error(s) of severity level 1 (CPU test, RAM test, etc.failed) took place
AC500-S safety modules
Generic safety I/O module behavior > Safety I/O module states
2022/02/04 3ADR025091M0210, 14, en_US 61
Transition(Fig. 14 onpage 55, Fig. 15on page 55)
From To Description
(17) RUN (useracknowledgmentrequest)
INIT Power cycle
(18) RUN (module pas-sivation with acommand)
RUN (module pas-sivation)
PROFIsafe watchdog, PROFIsafe communicationerror or undervoltage/overvoltage was identified.Note: In this transition, it is possible thatWD_timeout bit of PROFIsafe F-Host instance tog-gles if watchdog timeout is periodically recognizedby the safety I/O module.
(19) RUN (module pas-sivation)
RUN (module pas-sivation with acommand)
If the threshold shut-down value was not reachedduring process undervoltage or overvoltage phaseand the process voltage is back in the normal range,the safety I/O module reintegrates and would go toRUN (ok) state automatically, but short time beforethe "activate_FV_C = 1" command was sent fromthe PROFIsafe F-Host stack, which leads the safetyI/O module to RUN (module passivation with a com-mand) state.
(20) RUN (useracknowledgmentrequest)
RUN (module pas-sivation)
Process undervoltage/overvoltage was identified.
(21) RUN (module pas-sivation)
RUN (useracknowledgmentrequest)
● Module error (watchdog or communication error(CRC)) is gone.and
● Command activate_FV_C = 0then
● Safety I/O module sets OA_Req_S = 1
(22) RUN (useracknowledgmentrequest)
RUN (ok) ● OA_Req_S = 1 was set by the safety I/O moduleafter the module error is gone.
● OA_C (positive edge) was set by the PROFIsafeF-Host for the given safety I/O module.
(23) RUN (useracknowledgmentrequest)
RUN (module pas-sivation with acommand)
"activate_FV_C = 1" command was sent from thePROFIsafe F-Host
(24) RUN (module pas-sivation with acommand)
SAFE STOP Error(s) of severity level 1 (CPU test, RAM test, etc.failed) took place
(25) RUN (module pas-sivation with acommand)
INIT Power cycle
(26) RUN (module pas-sivation with acommand)
RUN (ok) ● No module error● Command activate_FV_C = 0
(27) RUN (channelpassivation andreintegration)
RUN (module pas-sivation)
PROFIsafe watchdog, PROFIsafe communicationerror or undervoltage/overvoltage was detected.Note: In this transition, it is possible thatWD_timeout bit of PROFIsafe F-Host instance tog-gles if watchdog timeout is periodically recognizedby the safety I/O module.
AC500-S safety modulesGeneric safety I/O module behavior > Safety I/O module states
2022/02/043ADR025091M0210, 14, en_US62
Transition(Fig. 14 onpage 55, Fig. 15on page 55)
From To Description
(28) RUN (channelpassivation andreintegration)
RUN (module pas-sivation with acommand)
"activate_FV_C = 1" command was sent from thePROFIsafe F-Host stack
(29) RUN (useracknowledgmentrequest)
RUN (channelpassivation andreintegration)
This transition is possible only if channel error wasidentified before or during module passivation. As aresult, after module reintegration one of the channeltests directly brings safety I/O module to RUN(channel passivation and reintegration state).
(30) RUN (module pas-sivation)
RUN (ok) If the threshold shut-down value was not reachedduring undervoltage phase and the process voltageis back in the normal range, the safety I/O modulereintegrates and goes to RUN (ok) state automati-cally.If the threshold fuse value was not reached duringovervoltage phase and the process voltage is backin the normal range, the safety I/O module reinte-grates and goes to RUN (ok) state automatically.
(31) RUN (module pas-sivation)
RUN (module pas-sivation)
If process undervoltage event was detected twotimes within 1 s, then the safety I/O module remainsin RUN (module passivation) state.
(32) RUN (module pas-sivation with acommand)
RUN (channelpassivation andreintegration)
This transition is possible only if channel error wasidentified during RUN (module passivation with acommand) state. As a result, after command acti-vate_FV_C = 0, safety I/O module goes to RUN(channel passivation and reintegration state).
3.2.3 Undervoltage / overvoltageIf undervoltage (< 18 V) is detected in the safety I/O module, the module goes to RUN (modulepassivation) state, until the process voltage did not reach the threshold shut-down value (16V), when no further communication to PROFIsafe F-Host is possible. If the threshold shut-downvalue (16 V) was not reached during undervoltage phase and the process voltage is back inthe normal range (≥ ~18 V), the safety I/O module reintegrates and goes to RUN (ok) stateautomatically.To avoid unintended permanent module passivation and reintegration, the following feature isavailable for undervoltage case:● The user has to continuously supervise Device_Fault bit of the safety I/O module and if
Device_Fault = 1 is detected, he passivates the module with activate_FV_C = 1.If overvoltage (> 31.2 V) is detected in the safety I/O module, the module goes to RUN (modulepassivation) state, until the process voltage did not reach the threshold fuse value (> 35 V)when the safety I/O module is damaged and has to be replaced. If the threshold fuse value wasnot reached during overvoltage phase and the process voltage is back in the normal range, thesafety I/O module reintegrates and goes to RUN (ok) state automatically. To avoid unintendedpermanent module passivation and reintegration, the same feature (supervision of Device_Faultbit) as for undervoltage is available.
AC500-S safety modules
Generic safety I/O module behavior > Undervoltage / overvoltage
2022/02/04 3ADR025091M0210, 14, en_US 63
3.2.4 Diagnosis
DANGER!The diagnosis data is not safety-relevant and, thus, shall not be used in safetyapplication program for execution of safety functions.
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
1 2 43
Fig. 16: LED states of safety I/O modules during start-up (example with AI581-S module)
1 State 1 - Hardware reset and initialization2 State 2 - LED test3 State 3 - End state of initialization4 State 4 - Parameterization is complete, but no PROFIsafe communication yet
NOTICE!External errors (wiring or sensor errors) in safety I/O modules lead to thechannel passivation ("0" values are delivered). As soon as an external erroris fixed and this is recognized by internal safety I/O module tests, safety I/Omodule channels request an acknowledgment for their reintegration to thenormal safety process control mode. The user can acknowledge such channelsusing dedicated channel bits (refer to Fig. 73 on page 148).
Safety I/O module error messages are aggregated together with other module error messagesin non-safety CPU.With AC500 V2 non-safety CPU: Ä Appendix B.2.2 “Error messages for safety I/O modules”on page 389
With AC500 V3 non-safety CPU: Ä Appendix C.2.2 “Error messages for safety I/O modules”on page 404
The complete list of AC500 error messages can be found in Ä [3].
Error messages
AC500-S safety modulesGeneric safety I/O module behavior > Diagnosis
2022/02/043ADR025091M0210, 14, en_US64
3.3 DI581-S safety digital input module
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
1 2 3 4
67
8
10
9
4
5 5
8
Fig. 17: Safety digital input module DI581-S, plugged on terminal unit TU582-S
1 I/O bus2 System LED3 Allocation terminal no. - signal name4 16 yellow/red LEDs signal status I0 ... I7/I8 ... I155 8 unique phase-shifted test pulse outputs T0 ... T3/T4 ... T76 2 rotary switches for PROFIsafe address7 Green LED for process voltage UP8 Red LEDs to display module errors9 Label (TA525)10 I/O terminal unit (TU582-S)
3.3.1 PurposeSafety digital input module DI581-S can be used as a remote expansion module at CI501-PNIO,CI502-PNIO, CI504-PNIO and CI506-PNIO PROFINET modules or locally at AC500 CPUs forup to SIL 3 (IEC 61508), max. SIL 3 (IEC 62061) and PL e (ISO 13849-1) safety applications.
NOTICE!SIL (IEC 61508), max. SIL (IEC 62061) and PL (ISO 13849-1) reachable inyour safety application depend on the wiring of your sensors to DI581-S moduleÄ Chapter 3.3.7 “Circuit examples DI581-S” on page 73.
DI581-S contains 16 safety digital inputs 24 V DC separated in two groups (2.0 ... 2.7 and 4.0 ...4.7) with no potential separation between the channels.
Elements of themodule
AC500-S safety modules
DI581-S safety digital input module > Purpose
2022/02/04 3ADR025091M0210, 14, en_US 65
The inputs are not electrically isolated from the other electronic circuitry of the module.
3.3.2 FunctionalityDigital inputs 16 (24 V DC)
LED displays for signal status, module errors, channel errors and supply voltage
Internal power supply through the I/O bus interface
External power supply via the terminals ZP and UP (process voltage 24 V DC)
Self-tests and diagnostic functions (both start-up and runtime), like CPU and RAM tests, pro-gram flow control, cross-talk and stuck-at-1 tests, etc. are implemented in DI581-S according toIEC 61508 SIL 3 requirements.
NOTICE!Only F_Dest_Add is used for PROFIsafe F-Device identification in DI581-S.
DI581-S contains 16 safety digital input channels with the following features:● Phase-shifted (unique) test pulses T0 ... T7 can be used for connection of mechanical
sensors. Test pulse outputs T0 ... T7 provide 24 V signal with a short phase-shifted uniquepulses (0 V) of 1 ms. Since the test pulses on each of the test pulse output channels areunique (due to the phase shift), they can be used to monitor the cross-talk between thegiven input channel with connected test pulse output and another wire, e.g, with 24 V DC,another test pulse output, etc. Test pulse outputs are dedicated ones:– T0 can be used only with input channels I0 and I1– T1 can be used only with input channels I2 and I3– T2 can be used only with input channels I4 and I5– T3 can be used only with input channels I6 and I7– T4 can be used only with input channels I8 and I9– T5 can be used only with input channels I10 and I11– T6 can be used only with input channels I12 and I13– T7 can be used only with input channels I14 and I15
● Input delay with the following values: 1 ms, 2 ms, 5 ms, 10 ms, 15 ms, 30 ms, 50 ms,100 ms, 200 ms, 500 ms. Input delay value of 1 ms is the minimum one.
NOTICE!The allowed signal frequency on safety digital inputs is dependent on the inputdelay value for the given channel:– For channel input delay values of 1 ... 10 ms, the pulse length of input signal
shall be ³ 15 ms (~ 65 Hz) to avoid occasional input channel passivation.– For channel input delay of 15 ms, the pulse length of input signal shall be
³ 20 ms (~ 50 Hz) to avoid occasional input channel passivation.– For channel input delay of 30 ms, the pulse length of input signal shall be
³ 40 ms (~ 25 Hz) to avoid occasional input channel passivation.– For channel input delay of 50 ms, the pulse length of input signal shall be
³ 60 ms (~ 15 Hz) to avoid occasional input channel passivation.– For channel input delay of 100 ms, the pulse length of input signal shall be
³ 120 ms (~ 8 Hz) to avoid occasional input channel passivation.– For channel input delay of 200 ms, the pulse length of input signal shall be
³ 250 ms (~ 4 Hz) to avoid occasional input channel passivation.– For channel input delay of 500 ms, the pulse length of input signal shall be
³ 600 ms (~ 1.5 Hz) to avoid occasional input channel passivation.
AC500-S safety modulesDI581-S safety digital input module > Functionality
2022/02/043ADR025091M0210, 14, en_US66
DANGER!The input delay parameter means that signals with the duration shorter thaninput delay value are always not captured by the safety module.The signals with the duration of equal to or longer than "input delay parameter"+ "input delay accuracy" are always captured by the safety module, providedthat the allowed frequency (refer to previous notice) of the safety input signal isnot exceeded.The "input delay accuracy" can be estimated based on the following assump-tions:– If no test pulses are configured for the given safety digital input, then input
delay accuracy can be calculated as 1 % of set input delay value (however,input delay accuracy value must be at least 0.5 ms!).
– If test pulses are configured for the given safety digital input of DI581-Smodule, then the input delay accuracy values can be estimated based onthe input delay parameter value Ä Table 4 “Input delay accuracy for DI581-S” on page 67.
Table 4: Input delay accuracy for DI581-SInput delay (ms) Input delay accuracy (ms)1 2
2 2
5 3
10 4
15 5
30 6
50 7
100 10
200 15
500 25
● Checking of process power supply (diagnostic message is sent from the safety I/O moduleto the CPU informing about the lack of process power supply for the given safety I/Omodule). This function is a non-safety one and is not related to the internal safety-relevantover- and undervoltage detection.
● 2 channel equivalent and 2 channel antivalent mode with discrepancy time monitoring(configurable 10 ms ... 30 s).
NOTICE!In a 2 channel mode, the lower channel (channels 0/8 ➔ Channel 0, channels1/9 ➔ Channel 1, etc.) transports the aggregated process value, PROFIsafediagnostic bit, acknowledgment request and acknowledge reintegration informa-tion. The higher channel always provides the passivated value "0".
AC500-S safety modules
DI581-S safety digital input module > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 67
DANGER!After discrepancy time error, the relevant channels are passivated. As soon asa valid sensor state is observed (equivalent or antivalent, depending on theselected mode), reintegration request status bit for the given channel becomesTRUE. You can acknowledge an error using acknowledge reintegration com-mand bit for the given channel. This can directly lead to the machine start,because both TRUE - TRUE and FALSE - FALSE are valid states for equiva-lence and both TRUE - FALSE and FALSE - TRUE are valid states for antiva-lence.Make sure that such behavior is acceptable in your safety application. If no,then you can use either included PLCopen Safety POUs for 2 channel evalua-tion in your safety program or write your own POUs for 2 channel evaluation onthe safety CPU.
Fig. 18: 2 channel equivalent mode implemented in DI581-S
AC500-S safety modulesDI581-S safety digital input module > Functionality
2022/02/043ADR025091M0210, 14, en_US68
Fig. 19: 2 channel antivalent mode implemented in DI581-S
NOTICE!2 channel equivalent and 2 channel antivalent modes are implemented inDI581-S and DX581-S module to handle relatively static safety signals, e.g.,those for emergency stop devices.If frequently changing signals, like those from light curtains, laser scanners,door switches, etc. must be handled by DI581-S and DX581-S, then it ishighly recommended to use input delay of 1 ms for these channels or to con-figure related channels in 1 channel mode and do 2 channel equivalent and2 channel antivalent evaluation at the safety CPU using PLCopen Safety FBsSF_Equivalent Ä Chapter 4.6.4.2 “SF_Equivalent” on page 206 and SF_Antiva-lent Ä Chapter 4.6.4.3 “SF_Antivalent” on page 211.
3.3.3 Mounting, dimensions and electrical connectionThe input modules can be plugged only on spring-type TU582-S I/O terminal unit. The uniquemechanical coding on I/O terminal units prevents a potential mistake of placing the non-safetyI/O module on safety I/O terminal unit and the other way around. Basic information on systemassembly is shown here. Detailed information can be found in Ä [3].
AC500-S safety modules
DI581-S safety digital input module > Mounting, dimensions and electrical connection
2022/02/04 3ADR025091M0210, 14, en_US 69
Installation and maintenance have to be performed according to the technical rules, codes andrelevant standards, e.g. EN 60204 part 1, by skilled electricians only.
DANGER!Hot plug and hot swap of energized modules is not permitted. All power sources(supply and process voltages) must be switched off while working with safetymodules.
Fig. 20: Assembly instructions
1. Put the module on the terminal unit.
ð The module clicks in.
2. Then press the module with a force of at least 100 N into the terminal unit to achieveproper electrical contact.
Assembly ofDI581-S
AC500-S safety modulesDI581-S safety digital input module > Mounting, dimensions and electrical connection
2022/02/043ADR025091M0210, 14, en_US70
Fig. 21: Disassembly instructions
Press above and below, then remove the module.
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T6
ERR2
4.9ZP
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
(2.27)57.7
59 (2
.32)
70.5
(2.7
8)
135
(5.3
1)
135 mm(5.31) “
67.5 (2.66)28
21 (0.83)54 (2.13)
75 (2.95)
59 (2
.32)
70.5
(2.7
8)
135
(5.3
1)
76 (2
.99)
77 (3.03)
84.5 (3.33)
DIN rail 15 mmDIN rail 7.5 mm
135 mm(5.31) “
(1.10)
Fig. 22: Dimensions of DI581-S safety I/O module
NOTICE!The same TU582-S is used by all AC500-S safety I/O modules. If TU582-S iswired for DX581-S module with safety digital outputs and DI581-S or AI581-Smodules are occasionally placed on this terminal unit, under no circumstances itis possible that safety digital output clamps on TU582-S become energized dueto a wrongly placed DI581-S or AI581-S safety I/O modules.
The electrical connection of the I/O channels is carried out using 40 terminals of the I/O terminalunit. I/O modules can be replaced without re-wiring the terminal units.
Disassembly ofDI581-S
Dimensions
Electrical con-nection
AC500-S safety modules
DI581-S safety digital input module > Mounting, dimensions and electrical connection
2022/02/04 3ADR025091M0210, 14, en_US 71
The terminals 1.8, 2.8, 3.8 and 4.8 as well as 1.9, 2.9, 3.9 and 4.9 are electrically intercon-nected within the I/O terminal unit and have always the same assignment, independent of theinserted module:● Terminals 1.8, 2.8, 3.8 and 4.8: Process voltage UP = +24 V DC● Terminals 1.9, 2.9, 3.9 and 4.9: Process voltage ZP = 0 VThe assignment of other terminals:
Terminals Signal Meaning1.0, 1.2, 1.4, 1.6, 3.0, 3.2, 3.4, 3.6 T0, T1, T2, T3, T4, T5, T6, T7 Connectors of 8 test pulse outputs
T0, T1, T2, T3, T4, T5, T6, T7
2.0 ... 2.7, 4.0 ... 4.7 I0, I1, I2, I3, I4, I5, I6, I7, I8, I9, I10,I11, I12, I13, I14, I15
16 safety digital inputs
1.8, 2.8, 3.8, 4.8 UP Process power supply +24 V DC
1.9, 2.9, 3.9, 4.9 ZP Central process earth
1.1, 1.3, 1.5, 1.7, 3.1, 3.3, 3.5, 3.7 Free Not used
NOTICE!The process voltage must be included in the earthing concept of the controlsystem (e.g., earthing the minus pole).
Examples of electrical connections with DI581-S module and single channel Ix.
1.8
1.9
UP +24 V
ZP 0 V
4.8
4.9
3.8
3.9
2.8
2.9
I0 2.0
I1 2.1
I2 2.2
I3 2.3
I4 2.4
I5 2.5
I6 2.6
I7 2.7
I8 4.0
I9 4.1
I10 4.2
I11 4.3
I12 4.4
I13 4.5
I14 4.6
I15 4.7
T0 1.0
T1 1.2
T2 1.4
T3 1.6
T4 3.0
T5 3.2
T6 3.4
T7 3.6
Uout
Uout
Uout
Uout
Uout
Uout
Uout
Uout
Fig. 23: Example of electrical connections with DI581-S
Examples ofconnections
AC500-S safety modulesDI581-S safety digital input module > Mounting, dimensions and electrical connection
2022/02/043ADR025091M0210, 14, en_US72
UPIx
ZP
Fig. 24: Example of single channel with DI581-S
3.3.4 Internal data exchangeInputs (bytes) 6
Outputs (bytes) 2
3.3.5 I/O configurationThe safety digital input module DI581-S does not store configuration data itself. The configura-tion data is stored on the safety and non-safety CPUs.
3.3.6 ParameterizationThe arrangement of the parameter data is performed by your system configuration softwareAutomation Builder. ABB GSDML file for PROFINET devices can be used to configure DI581-Sparameters in 3rd party PROFINET F-Host systems.The parameter setting directly influences the functionality of modules and reachable SIL(IEC 61508), max. SIL (IEC 62061) and PL (ISO 13849-1).
No. Name Values Default1 Check supply "On", "Off" "On"
2 Configuration "Not used", "1 channel", "2 channel equivalent", "2channel antivalent"
"Not used"
3 Test pulse "Disabled", "Enabled" "Disabled"
4 Input delay "1 ms", "2 ms", "5 ms", "10 ms", "15 ms", "30 ms","50 ms", "100 ms", "200 ms", "500 ms"
"5 ms"
5 Discrepancy time* "10 ms", "20 ms", "30 ms", "40 ms", "50 ms", "60 ms","70 ms", "80 ms", "90 ms", "100 ms", "150 ms","200 ms", "250 ms", "300 ms", "400 ms", "500 ms","750 ms", "1 s", "2 s", "3 s", "4 s", "5 s", "10 s", "20 s","30 s"
"50 ms"
* Available only for "2 channel equivalent" and "2 channel antivalent" configuration
3.3.7 Circuit examples DI581-SExamples of electrical connections and reachable SIL (IEC 61508), max. SIL (IEC 62061) andPL (ISO 13849-1) with DI581-S module are presented below.
AC500-S safety modules
DI581-S safety digital input module > Circuit examples DI581-S
2022/02/04 3ADR025091M0210, 14, en_US 73
NOTICE!Whenever DC = High is used in the circuit examples with safety digital inputs,the following measure from ISO 13849-1 Ä [9] is used with DI581-S module:Cross monitoring of input signals and intermediate results within the logic (L),and temporal and logical software monitor of the program flow and detection ofstatic faults and short circuits (for multiple I/O).Whenever DC = Medium is used in the circuit examples with safety digitalinputs, any of the measures for input devices with DC ³ 90 % can be used fromISO 13849-1 Ä [9].
Max. SIL / PL 1), 2) Max. SIL 1 / PL c
SIL3) SIL 2
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8 UP
3.9 ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9 ZP
GND24 VDC
4.2 I10
4.0 I8
4.1 I9
4.3 I11
4.4 I12
4.5 I13
4.6 I14
4.7 I15
4.8 UP
ERR1
2.9 ZP
2.2 I2
2.0 I0
2.1 I1
2.3 I3
2.4 I4
2.5 I5
2.6 I6
2.7 I7
2.8 UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 25: Circuit example DI581-S, 1-channel sensor1) - MTTFd = High, DC = 02) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required) ➔ without error
exclusion (you can reach higher levels up to SIL 3 with error exclusion)
1-channelsensor
AC500-S safety modulesDI581-S safety digital input module > Circuit examples DI581-S
2022/02/043ADR025091M0210, 14, en_US74
Max. SIL / PL 1), 2) Max. SIL 1 / PL c
SIL3) SIL 2
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
OSSD
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 26: Circuit example DI581-S, 1-channel OSSD output (with internal tests)1) - MTTFd = High, DC = 02) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required) ➔ without error
exclusion (you can reach higher levels up to SIL 3 with error exclusion)
1-channel OSSDoutput (withinternal tests)
AC500-S safety modules
DI581-S safety digital input module > Circuit examples DI581-S
2022/02/04 3ADR025091M0210, 14, en_US 75
2-channel evaluation In DI581-S module
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 27: Circuit example DI581-S, 2-channel sensor (equivalent)1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2-channelsensor (equiva-lent)
AC500-S safety modulesDI581-S safety digital input module > Circuit examples DI581-S
2022/02/043ADR025091M0210, 14, en_US76
2-channel evaluation In DI581-S module
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 28: Circuit example DI581-S, 2-channel sensor (antivalent)1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2-channelsensor (antiva-lent)
AC500-S safety modules
DI581-S safety digital input module > Circuit examples DI581-S
2022/02/04 3ADR025091M0210, 14, en_US 77
2-channel evaluation In DI581-S module
Max. SIL / PL 1), 2) Max. SIL 3 / PL e
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
OSSD
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 29: Circuit example DI581-S, 2-channel OSSD output (with internal tests)1) - MTTFd = High, DC = High2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2-channel OSSDoutput (withinternal tests)
AC500-S safety modulesDI581-S safety digital input module > Circuit examples DI581-S
2022/02/043ADR025091M0210, 14, en_US78
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 30: Circuit example DI581-S, 1-channel sensor with test pulses1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
1-channelsensor with testpulses
AC500-S safety modules
DI581-S safety digital input module > Circuit examples DI581-S
2022/02/04 3ADR025091M0210, 14, en_US 79
2-channel evaluation In safety CPU
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 31: Circuit example DI581-S, 2-channel sensor (equivalent) with test pulses1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2-channelsensor (equiva-lent) with testpulses
AC500-S safety modulesDI581-S safety digital input module > Circuit examples DI581-S
2022/02/043ADR025091M0210, 14, en_US80
2-channel evaluation In DI581-S module
Max. SIL / PL 1), 2) Max. SIL 3 / PL e
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 32: Circuit example DI581-S, 2-channel sensor (equivalent) with test pulses1) - MTTFd = High, DC = High2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2-channelsensor (equiva-lent) with testpulses
AC500-S safety modules
DI581-S safety digital input module > Circuit examples DI581-S
2022/02/04 3ADR025091M0210, 14, en_US 81
2-channel evaluation In DI581-S module
Max. SIL / PL 1), 2) Max. SIL 3 / PL e
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
OSSD
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
OSSD
Fig. 33: Circuit example DI581-S, 2 x OSSD output (with internal tests)1) - MTTFd = High, DC = High2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2 x OSSD output(with internaltests)
AC500-S safety modulesDI581-S safety digital input module > Circuit examples DI581-S
2022/02/043ADR025091M0210, 14, en_US82
2-channel evaluation In safety CPU
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 34: Circuit example DI581-S, 2 separate sensors with test pulses1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2 separate sen-sors with testpulses
AC500-S safety modules
DI581-S safety digital input module > Circuit examples DI581-S
2022/02/04 3ADR025091M0210, 14, en_US 83
2-channel evaluation First in DI581-S module and then in the safetyCPU
Max. SIL / PL 1), 2) Max. SIL 3 / PL e
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 35: Circuit example DI581-S, 2 x 2-channel sensor (antivalent) with test pulses1) - MTTFd = High, DC = High2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2 x 2-channelsensor (antiva-lent) with testpulses
AC500-S safety modulesDI581-S safety digital input module > Circuit examples DI581-S
2022/02/043ADR025091M0210, 14, en_US84
Mode switch evaluation In safety CPU
Max. SIL / PL 1), 2) Max. SIL 1 / PL c
SIL3) SIL 2
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP 24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T7
ERR2
4.9ZP
GND24 VDC
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
ADDRx10H
Mode switch
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 36: Circuit example DI581-S, mode switch 1 from 41) - MTTFd = High, DC = Low2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required) ➔ without error
exclusion (you can reach higher levels up to SIL 3 with error exclusion)
3.3.8 LED status displayTable 5: Status display and its meaningLED Description Color LED = OFF LED = ON LED flashesInputs0 ... 15
Digital input Yellow Input = OFF Input = ON (the inputvoltage is displayedeven if the supplyvoltage is OFF).
-
Channel error Red No channel error Channel error -
Mode switch 1from 4
AC500-S safety modules
DI581-S safety digital input module > LED status display
2022/02/04 3ADR025091M0210, 14, en_US 85
LED Description Color LED = OFF LED = ON LED flashesUP Process voltage
+24 V DC via ter-minal
Green Process supplyvoltage is missing
Process supply voltageis OK
-
PWR +3.3 V voltagefrom I/O bus
Green +3.3 V I/O bus voltageis not available
+3.3 V I/O bus voltageis available
-
ERR1 Module error indi-cator 1
Red No module error Module error whichleads to a SAFE STOPstate
Module passivationand/or acknowledg-ment request (alter-nating blinking)ERR2 Module error indi-
cator 2Red
3.3.9 Technical data
NOTICE!DI581-S-XC version is available for usage in extreme environmental conditionsÄ Appendix A “System data for AC500-S-XC” on page 376.
Additional technical data is available in ABB PLC catalog at www.abb.com/plc.
Data Value UnitConnections terminals 1.8 ... 4.8 (UP) +24 V
Connections terminals 1.9 ... 4.9 (ZP) 0 V
Rated value (-15 %, +20 %, without ripple) 24 V DC
Max. ripple 5 %
Protection against reversed voltage Yes
Rated protection fuse for UP (fast) 10 A
Electrical isolation per module
Mechanisms in which I/Os are processed periodicallyrefreshed
Current consumption from UP at normal operation with+ 24 V DC (for module electronics)
0.18 A
Inrush current from UP at 30 V (at power up) 0.1 A2s
Inrush current from UP at 24 V (at power up) 0.06 A2s
NOTICE!All DI581-S channels (including test pulse outputs) are protected againstreverse polarity, reverse supply, short circuit and continuous overvoltage up to30 V DC.
Horizontal or vertical with derating (maximal operating temperature reduced to +40 °C)
The natural convection cooling must not be hindered by cable ducts or other parts in theswitchgear cabinet.
Process supplyvoltage UP
Mounting posi-tion
Cooling
AC500-S safety modulesDI581-S safety digital input module > Technical data
2022/02/043ADR025091M0210, 14, en_US86
Data Value UnitDC supply interruptions < 10 ms
Time between 2 DC supply interruptions, PS2 > 1 s
Data Value UnitOperating temperature* 0 ... +60 °C
Storage temperature -40 ... +85 °C
Transport temperature -40 ... +85 °C
Humidity without condensation max. 95 %
Operating air pressure > 800 hPa
Storage air pressure > 660 hPa
Operating altitude < 2000 m above sealevel
Storage altitude < 3500 m above sealevel
* Extended temperature ranges (below 0 °C and above +60 °C) can be supported in specialversions of DI581-S Ä Appendix A “System data for AC500-S-XC” on page 376.
The creepage distances and clearances meet the overvoltage category II, pollution degree 2.
For the supply of modules, power supply units according to PELV/SELV specifications must beused.
For information on electromagnetic compatibility refer to the latest TÜV SÜD Report Ä [1].
Data Value UnitDegree of protection IP 20
Housing according to UL 94
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 3.5 mm
2 ... 15 Hz
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 1 g *
15 ...150 Hz
Shock test (all three axes), 11 ms half-sinusoidal 15 g
MTBF 102 years
* Higher values on request
Start-up and runtime tests: Program flow control, RAM, CPU, cross-talk, stuck-at-1, etc.
Data Value UnitW x H x D 67.5 x 76 x 62 mm
Weight ~ 130 g
Allowed inter-ruptions ofpower supply,according to EN61131-2
Environmentalconditions
Creepage dis-tances andclearancesPower supplyunits
Electromagneticcompatibility
Mechanicalproperties
Self-test anddiagnostic func-tionsDimensions,weight
AC500-S safety modules
DI581-S safety digital input module > Technical data
2022/02/04 3ADR025091M0210, 14, en_US 87
CE, cUL (further certifications at www.abb.com/plc)
3.3.9.1 Technical data of safety digital inputs
Data Value UnitNumber of input channels per module 16
Terminals of the channels I0 to I7 2.0 ... 2.7
Terminals of the channels I8 to I15 4.0 ... 4.7
Terminals of reference potential for all inputs (minuspole of the process supply voltage, signal name ZP)
1.9 ... 4.9
Electrical isolation from the rest of the module (I/O bus) Yes
Input type acc. to EN 61131-2 Type 1
Input delay (0 ➔ 1 or 1 ➔ 0), configurable 1 ... 500 ms
One yellow LED per channel, the LED is ON when the input signal is high (signal 1).
Data Value UnitInput signal voltage 24 V DC
Signal 0 -3 ... +5 V
Undefined signal > +5 ... < +15 V
Signal 1 +15 ... +30 V
Data Value UnitInput voltage +24 V, typically 7 mA
Input voltage +5 V > 1 mA
Input voltage +15 V > 4 mA
Input voltage +30 V < 8 mA
Data Value UnitMax. cable length, shielded 1000 m
Max. cable length, unshielded 600 m
3.3.9.2 Technical data of non-safety test pulse outputs
DANGER!Exceeding the permitted process or supply voltage range (< -35 V DC or >+35 V DC) could lead to unrecoverable damage of the system.
Certifications
Input signalindication
Signal voltage
Input currentper channel
Cable length
AC500-S safety modulesDI581-S safety digital input module > Technical data
2022/02/043ADR025091M0210, 14, en_US88
Data Value UnitNumber of test pulse channels per module (transistortest pulse outputs)
8
Terminals of the channels T0 to T3 1.0, 1.2, 1.4, 1.6
Terminals of the channels T4 to T7 3.0, 3.2, 3.4, 3.6
Terminals of reference potential for all test pulse outputs(minus pole of the process supply voltage, signal nameZP)
1.9 ... 4.9
Terminals of common power supply voltage for all out-puts (plus pole of the process supply voltage, signalname UP)
1.8 ... 4.8
Output voltage for signal 1 UP - 0.8 V
Length of test pulse 0 phase 1 ms
Data Value UnitRated value, per channel 10 mA
Maximum value (all channels together) 80 mA
Short-circuit proof / overload proof yes
Output current limitation 65 mA
Resistance to feedback against 24V signal connection yes
Data Value UnitMax. cable length, shielded 1000 m
Max. cable length, unshielded 600 m
3.3.10 Ordering dataType Description Part no.DI581-S Safety digital input module 16SDI 1SAP 284 000 R0001
DI581-S-XC Safety digital input module 16SDI,extreme conditions
1SAP 484 000 R0001
Output current
Cable length
AC500-S safety modules
DI581-S safety digital input module > Ordering data
2022/02/04 3ADR025091M0210, 14, en_US 89
3.4 DX581-S safety digital input/output module
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
6 6
1 2 3 4
7 8
9
11
10
4
5 5
9
Fig. 37: Safety digital input/output module DX581-S, plugged on terminal unit TU582-S
1 I/O bus2 System LED3 Allocation terminal no. - signal name4 8 yellow/red LEDs signal status I0 ... I3/I4 ... I75 4 test pulse outputs T0 ... T1/T2 ... T36 8 yellow/red LEDs signal status O0 ... O3 / O4 ... O77 2 rotary switches for PROFIsafe address8 Green LED for process voltage UP9 Red LEDs to display module errors10 Label (TA525)11 I/O terminal unit (TU582-S)
3.4.1 PurposeSafety digital input/output module DX581-S can be used as a remote expansion module atCI501-PNIO, CI502-PNIO, CI504-PNIO and CI506-PNIO PROFINET modules or locally atAC500 CPUs for up to SIL 3 (IEC 61508), max. SIL 3 (IEC 62061) and PL e (ISO 13849-1)safety applications.
NOTICE!SIL (IEC 61508), max. SIL (IEC 62061) and PL (ISO 13849-1) reachable inyour safety application depend on the wiring of your sensors and actuators toDX581-S module Ä Chapter 3.4.7 “Circuit examples DX581-S” on page 100.
Elements of themodule
AC500-S safety modulesDX581-S safety digital input/output module > Purpose
2022/02/043ADR025091M0210, 14, en_US90
DX581-S contains 8 safety digital inputs 24 V DC separated in two groups(2.0 ... 2.3 and 4.0 ... 4.3) and 8 safety digital transistor outputs with no potential separationbetween the channels.The inputs/outputs are not electrically isolated from the other electronic circuitry of the module.
3.4.2 FunctionalityDigital inputs 8 (24 V DC)
Digital outputs 8 (24 V DC)
LED displays for signal status, module errors, channel errors and supply voltage
Internal power supply through the I/O bus interface
External power supply via the terminals ZP and UP (process voltage 24 V DC)
Self-tests and diagnostic functions (both start-up and runtime), like CPU and RAM tests, pro-gram flow control, cross-talk and stuck-at-1 tests, etc. are implemented in DX581-S according toIEC 61508 SIL 3 requirements.
NOTICE!Only F_Dest_Add is used for PROFIsafe F-Device identification in DX581-S.
DX581-S contains 8 safety digital input channels with the following features:● Phase-shifted (unique) test pulses T0 ... T3 can be used for connection of mechanical
sensors. Test pulse outputs T0 ... T3 provide 24 V signal with a short phase-shifted uniquepulses (0 V) of 1 ms. Since the test pulses on each of the test pulse output channels areunique (due to the phase shift), they can be used to monitor the cross-talk between thegiven input channel with connected test pulse output and another wire, e.g, with 24 V DC,another test pulse output, etc. Test pulse outputs are dedicated ones:– T0 can be used only with input channels I0 and I1– T1 can be used only with input channels I2 and I3– T2 can be used only with input channels I4 and I5– T3 can be used only with input channels I6 and I7
● Input delay with the following values: 1 ms, 2 ms, 5 ms, 10 ms, 15 ms, 30 ms, 50 ms,100 ms, 200 ms, 500 ms. Input delay value of 1 ms is the minimum one.
NOTICE!The allowed signal frequency on safety digital inputs is dependent on the inputdelay value for the given channel:– For channel input delay values of 1 ... 10 ms, the pulse length of input signal
shall be ³ 15 ms (~ 65 Hz) to avoid occasional input channel passivation.– For channel input delay of 15 ms, the pulse length of input signal shall be
³ 20 ms (~ 50 Hz) to avoid occasional input channel passivation.– For channel input delay of 30 ms, the pulse length of input signal shall be
³ 40 ms (~ 25 Hz) to avoid occasional input channel passivation.– For channel input delay of 50 ms, the pulse length of input signal shall be
³ 60 ms (~ 15 Hz) to avoid occasional input channel passivation.– For channel input delay of 100 ms, the pulse length of input signal shall be
³ 120 ms (~ 8 Hz) to avoid occasional input channel passivation.– For channel input delay of 200 ms, the pulse length of input signal shall be
³ 250 ms (~ 4 Hz) to avoid occasional input channel passivation.– For channel input delay of 500 ms, the pulse length of input signal shall be
³ 600 ms (~ 1.5 Hz) to avoid occasional input channel passivation.
AC500-S safety modules
DX581-S safety digital input/output module > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 91
DANGER!The input delay parameter means that signals with the duration shorter thaninput delay value are always not captured by the safety module.The signals with the duration of equal to or longer than "input delay parameter"+ "input delay accuracy" are always captured by the safety module, providedthat the allowed frequency (refer to previous notice) of the safety input signal isnot exceeded.The "input delay accuracy" can be estimated based on the following assump-tions:– If no test pulses are configured for the given safety digital input, then input
delay accuracy can be calculated as 1 % of set input delay value (however,input delay accuracy value must be at least 0.5 ms!).
– If test pulses are configured for the given safety digital input of DX581-Smodule, then the input delay accuracy values can be estimated based onthe input delay parameter value Ä Table 6 “Input delay accuracy for DX581-S” on page 92.
Table 6: Input delay accuracy for DX581-SInput delay (ms) Input delay accuracy (ms)1 2
2 2
5 3
10 4
15 5
30 6
50 10
100 15
200 25
500 50
● Checking of process power supply (diagnostic message is sent from the safety I/O moduleto the CPU informing about the lack of process power supply for the given safety I/Omodule). This function is a non-safety one and is not related to the internal safety-relevantover- and undervoltage detection.
● 2 channel equivalent and 2 channel antivalent mode with discrepancy time monitoring(configurable 10 ms ... 30 s).
NOTICE!In a 2 channel mode, the lower channel (channels 0/4 ➔ Channel 0, channels1/5 ➔ Channel 1, etc.) transports the aggregated process value, PROFIsafediagnostic bit, acknowledgment request and acknowledge reintegration informa-tion. The higher channel always provides the passivated value "0".
AC500-S safety modulesDX581-S safety digital input/output module > Functionality
2022/02/043ADR025091M0210, 14, en_US92
DANGER!After discrepancy time error, the relevant channels are passivated. As soon asa valid sensor state is observed (equivalent or antivalent, depending on theselected mode), reintegration request status bit for the given channel becomesTRUE. You can acknowledge an error using acknowledge reintegration com-mand bit for the given channel. This can directly lead to the machine start,because both TRUE - TRUE and FALSE - FALSE are valid states for equiva-lence and both TRUE - FALSE and FALSE - TRUE are valid states for antiva-lence.Make sure that such behavior is acceptable in your safety application. If no,then you can use either included PLCopen Safety POUs for 2 channel evalua-tion in your safety program or write your own POUs for 2 channel evaluation onthe safety CPU.
Fig. 38: 2 channel equivalent mode implemented in DX581-S
AC500-S safety modules
DX581-S safety digital input/output module > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 93
Fig. 39: 2 channel antivalent mode implemented in DX581-S
NOTICE!2 channel equivalent and 2 channel antivalent modes are implemented inDI581-S and DX581-S module to handle relatively static safety signals, e.g.,those for emergency stop devices.If frequently changing signals, like those from light curtains, laser scanners,door switches, etc. must be handled by DI581-S and DX581-S, then it ishighly recommended to use input delay of 1 ms for these channels or to con-figure related channels in 1 channel mode and do 2 channel equivalent and2 channel antivalent evaluation at the safety CPU using PLCopen Safety FBsSF_Equivalent Ä Chapter 4.6.4.2 “SF_Equivalent” on page 206 and SF_Antiva-lent Ä Chapter 4.6.4.3 “SF_Antivalent” on page 211.
DX581-S contains 8 safety digital output channels with the following features:● Internal output channel tests can be switched off.
AC500-S safety modulesDX581-S safety digital input/output module > Functionality
2022/02/043ADR025091M0210, 14, en_US94
DANGER!Parameter “Detection” of output channelsIf for one of the output channels you set parameter “Detection” = OFF,the warning appears that the output channel does not satisfy max. SIL 3(IEC 62061) and PL e (ISO 13849-1) requirements in such condition. Twosafety output channels may have to be used to satisfy required max. SIL or PLlevel.The parameter “Detection” was created for customers who want to use safetyoutputs of DX581-S for max. SIL 1 (or max. SIL 2 under special conditions) orPL c (or maximum PL d under special conditions) safety functions and haveless internal DX581-S pulses visible on the safety output line. Such internalpulses could be detected as LOW signal by, for example, drive inputs, whichwould lead to unintended machine stop.
DANGER!Behavior independent from the setting of parameter “Detection”Short-circuit to the ground for output channels in DX581-S module is monitored.However, short-circuit to 24 V DC on the output wire is not monitored. End-users have to take appropriate actions (e.g., on the application side by definingappropriate test periods for safety function or by reading back the status of theoutput wire using one of available safety digital inputs) to satisfy their respectiveIEC 62061 and ISO 13849-1 requirements, if short-circuit to 24 V DC cannot beexcluded.
DANGER!If an error is detected for the given safety output channel, it is directly passi-vated by DX581-S module.Note that for some errors, the reintegration request bit for passivated outputchannels is automatically set to HIGH as soon as the channel is passivated andthe expected LOW state ("0" value) was reached by the output channel. Suchbehavior can be seen for some errors because DX581-S module is not able inthe LOW ("0" value) output channel state to check if previously detected errorswhich lead to the channel passivation still exist or not.If the user attempts to reintegrate such output channels using relevant acknowl-edge reintegration bits, he will succeed but if the error is still present, therelevant channels will be passivated in the next DX581-S error detection cycle.In the case of internal output module errors, the complete module will be passi-vated.
3.4.3 Mounting, dimensions and electrical connectionThe input/output modules can be plugged only on spring-type TU582-S I/O terminal unit. Theunique mechanical coding on I/O terminal units prevents a potential mistake of placing thenon-safety I/O module on safety I/O terminal unit and the other way around. Basic informationon system assembly is shown here. Detailed information can be found in Ä [3].Installation and maintenance have to be performed according to the technical rules, codes andrelevant standards, e.g. EN 60204 part 1, by skilled electricians only.
AC500-S safety modules
DX581-S safety digital input/output module > Mounting, dimensions and electrical connection
2022/02/04 3ADR025091M0210, 14, en_US 95
DANGER!Hot plug and hot swap of energized modules is not permitted. All power sources(supply and process voltages) must be switched off while working with safetymodules.
Fig. 40: Assembly instructions
1. Put the module on the terminal unit.
ð The module clicks in.
2. Then press the module with a force of at least 100 N into the terminal unit to achieveproper electrical contact.
Assembly ofDX581-S
AC500-S safety modulesDX581-S safety digital input/output module > Mounting, dimensions and electrical connection
2022/02/043ADR025091M0210, 14, en_US96
Fig. 41: Disassembly instructions
Press above and below, then remove the module.
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
(2.27)57.7
59 (2
.32)
70.5
(2.7
8)
135
(5.3
1)
135 mm(5.31) “
67.5 (2.66)
Fig. 42: Dimensions of DX581-S safety I/O module
NOTICE!The same TU582-S is used by all AC500-S safety I/O modules. If TU582-S iswired for DX581-S module with safety digital outputs and DI581-S or AI581-Smodules are occasionally placed on this terminal unit, under no circumstances itis possible that safety digital output clamps on TU582-S become energized dueto a wrongly placed DI581-S and AI581-S safety I/O modules.
The electrical connection of the I/O channels is carried out using 40 terminals of the I/O terminalunit. I/O modules can be replaced without re-wiring the terminal units.
Disassembly ofDX581-S
Dimensions
Electrical con-nection
AC500-S safety modules
DX581-S safety digital input/output module > Mounting, dimensions and electrical connection
2022/02/04 3ADR025091M0210, 14, en_US 97
The terminals 1.8, 2.8, 3.8 and 4.8 as well as 1.9, 2.9, 3.9 and 4.9 are electrically intercon-nected within the I/O terminal unit and have always the same assignment, independent of theinserted module:● Terminals 1.8, 2.8, 3.8 and 4.8: Process voltage UP = +24 V DC● Terminals 1.9, 2.9, 3.9 and 4.9: Process voltage ZP = 0 VThe assignment of the other terminals:
Terminals Signal Meaning1.0, 1.2, 3.0, 3.2 T0, T1, T2, T3 Connectors of 4 test pulse outputs
T0, T1, T2, T3
2.0 ... 2.3, 4.0 ... 4.3 I0, I1, I2, I3, I4, I5, I6, I7 8 safety digital inputs
2.4 ... 2.7, 4.4 ... 4.7 O0, O1, O2, O3, O4, O5, O6, O7 8 safety digital outputs
1.8, 2.8, 3.8, 4.8 UP Process power supply +24 V DC
1.9, 2.9, 3.9, 4.9 ZP Central process earth
1.1, 1.3, 1.4, 1.5, 1.6, 1.7, 3.1, 3.3,3.4, 3.5, 3.6, 3.7
Free Not used
NOTICE!The process voltage must be included in the earthing concept of the controlsystem (e.g., earthing the minus pole).
Examples of electrical connections with DX581-S module, single channels Ix and Ox.
1.8
1.9
UP +24 V
ZP 0 V
4.8
4.9
3.8
3.9
2.8
2.9
I0 2.0
I1 2.1
I2 2.2
I3 2.3
I4 4.0
I5 4.1
I6 4.2
I7 4.3
T0 1.0
T1 1.2
T2 3.0
T3 3.2
2.4 O0
2.5 O1
2.6 O2
2.7 O3
4.4 O4
4.5 O5
4.6 O6
4.7 O7
Uout
Uout
Uout
Uout
Fig. 43: Example of electrical connections with DX581-S
Examples ofconnections
AC500-S safety modulesDX581-S safety digital input/output module > Mounting, dimensions and electrical connection
2022/02/043ADR025091M0210, 14, en_US98
UPIx
ZP
UPZP
ZPOx
Fig. 44: Example of single channels with DX581-S
3.4.4 Internal data exchangeInputs (bytes) 5
Outputs (bytes) 3
3.4.5 I/O configurationThe safety digital input/output module DX581-S does not store configuration data itself. Theconfiguration data is stored on the safety and non-safety CPUs.
3.4.6 ParameterizationThe arrangement of the parameter data is performed by your system configuration softwareAutomation Builder. ABB GSDML file for PROFINET devices can be used to configure DX581-Sparameters in 3rd party PROFINET F-Host systems.The parameter setting directly influences the functionality of modules and reachable SIL(IEC 61508), max. SIL (IEC 62061) and PL (ISO 13849-1).
No. Name Values Default1 Check supply "On", "Off" "On"
Inputs2 Input channel configu-
ration"Not used", "1 channel", "2 channel equivalent", "2channel antivalent"
"Not used"
3 Test pulse "Disabled", "Enabled" "Disabled"
4 Input delay "1 ms", "2 ms", "5 ms", "10 ms", "15 ms", "30 ms","50 ms", "100 ms", "200 ms", "500 ms"
"5 ms"
5 Discrepancy time* "10 ms", "20 ms", "30 ms", "40 ms", "50 ms", "60 ms","70 ms", "80 ms", "90 ms", "100 ms", "150 ms","200 ms", "250 ms", "300 ms", "400 ms", "500 ms","750 ms", "1 s", "2 s", "3 s", "4 s", "5 s", "10 s", "20 s","30 s"
"50 ms"
Outputs
AC500-S safety modules
DX581-S safety digital input/output module > Parameterization
2022/02/04 3ADR025091M0210, 14, en_US 99
No. Name Values Default6 Output channel con-
figuration"Not used", "Used" "Not used"
7 Detection (internaloutput channeltest) Ä “Parameter“Detection” of outputchannels” on page 95
"Off", "On" "On"
* Available only for "2 channel equivalent" and "2 channel antivalent" configuration
3.4.7 Circuit examples DX581-SExamples of electrical connections and reachable SIL (IEC 61508), max. SIL (IEC 62061) andPL (ISO 13849-1) with DX581-S module are presented below. Note, that electrical connectionspresented for DI581-S safety input channels are also valid for DX581-S safety input channels.
NOTICE!Whenever DC = High is used in the circuit examples with safety digital inputs,the following measure from ISO 13849-1 Ä [9] is used with DX581-S module:Cross monitoring of input signals and intermediate results within the logic (L),and temporal and logical software monitor of the program flow and detection ofstatic faults and short circuits (for multiple I/O).Whenever DC = Medium is used in the circuit examples with safety digitalinputs, any of the measures for input devices with DC ³ 90 % can be used fromISO 13849-1 Ä [9].
NOTICE!Whenever DC = High is used in the circuit examples with safety digital outputs,the following measure from ISO 13849-1 Ä [9] is used with the DX581-Smodule: Cross monitoring of output signals and intermediate results within thelogic (L) and temporal and logical software monitor of the program flow anddetection of static faults and short circuits (for multiple I/O).Whenever DC = Medium is used in the circuit examples with safety digitaloutputs, any of the measures for output devices with DC ³ 90 % can be usedfrom ISO 13849-1 Ä [9].
DANGER!The reachable SIL (IEC 61508), max. SIL (IEC 62061) and PL (ISO 13849-1)levels for safety outputs of DX581-S module are only valid if the parameterDetection = "On". If the parameter Detection = "Off" then contact ABB technicalsupport to obtain proper reachable SIL, max. SIL and PL levels.
AC500-S safety modulesDX581-S safety digital input/output module > Circuit examples DX581-S
2022/02/043ADR025091M0210, 14, en_US100
Internal output channel test Yes
Max. SIL / PL 1) Max. SIL 1 / PL c
SIL2) SIL 2
Max. SIL / PL 3) Max. SIL 2 / PL d
SIL4) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
ADDRx01H
GND24 VDC
Readback contact (with or without)
K1
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Fig. 45: Circuit example DX581-S, relay1) - Without readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔
without error exclusion (you can reach higher levels up to PL e, max. SIL 3 with errorexclusion) MTTFd = High; DC = 0
2) - Without readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired) ➔ without error exclusion (you can reach higher level up to SIL 3 with errorexclusion)
3) - With readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔without error exclusion (you can reach higher levels up to PL e, max. SIL 3 with errorexclusion) MTTFd = High; DC = Medium
4) - With readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired)
Relay
AC500-S safety modules
DX581-S safety digital input/output module > Circuit examples DX581-S
2022/02/04 3ADR025091M0210, 14, en_US 101
Internal output channel test Yes
Max. SIL / PL 1) Max. SIL 1 / PL c
SIL2) SIL 3
Max. SIL / PL 3) Max. SIL 3 / PL e
SIL4) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
ADDRx01H
GND24 VDC
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Readback contact(with or without)
K1
K2
Fig. 46: Circuit example DX581-S, 2 relays1) - Without readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔
without error exclusion (you can reach higher levels up to PL e, max. SIL 3 with errorexclusion) MTTFd = High; DC = 0
2) - Without readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired)
3) - With readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) MTTFd =High; DC = High
4) - With readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired)
2 relays
AC500-S safety modulesDX581-S safety digital input/output module > Circuit examples DX581-S
2022/02/043ADR025091M0210, 14, en_US102
Internal output channel test Yes
Max. SIL / PL 1) Max. SIL 1 / PL c
SIL2) SIL 2
Max. SIL / PL 3) Max. SIL 2 / PL d
SIL4) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
ADDRx01H
GND24 VDC
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Control input
e.g. Drive
1-channelGNDE1
Readback contact(with or without)
Fig. 47: Circuit example DX581-S, device with transistor input (1-channel)1) - Without readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔
without error exclusion (you can reach higher levels up to PL e, max. SIL 3 with errorexclusion) MTTFd = High; DC = 0
2) - Without readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired) ➔ without error exclusion (you can reach higher level up to SIL 3 with errorexclusion)
3) - With readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔without error exclusion (you can reach higher levels up to PL e, max. SIL 3 with errorexclusion) MTTFd = High; DC = Medium
4) - With readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired)
Device withtransistor input(1-channel)
AC500-S safety modules
DX581-S safety digital input/output module > Circuit examples DX581-S
2022/02/04 3ADR025091M0210, 14, en_US 103
Internal output channel test Yes
Max. SIL / PL 1) Max. SIL 1 / PL c
SIL2) SIL 3
Max. SIL / PL 3) Max. SIL 3 / PL e
SIL4) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
ADDRx01H
GND24 VDC
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
Control input
2-channel,
e.g. Drive
E1E2
GND
Readback contact(with or without)
Fig. 48: Circuit example DX581-S, device with transistor input (2-channel)1) - Without readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔
without error exclusion (you can reach higher levels up to PL e, max. SIL 3 with errorexclusion) MTTFd = High; DC = 0
2) - Without readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired)
3) - With readback contact: Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) MTTFd =High; DC = Medium
4) - With readback contact: Max. reachable SIL acc. IEC 61508 (type A components arerequired)
Device withtransistor input(2-channel)
AC500-S safety modulesDX581-S safety digital input/output module > Circuit examples DX581-S
2022/02/043ADR025091M0210, 14, en_US104
Internal output channel test Yes
Max. SIL / PL 1) Max. SIL 2 / PL dAdditional dynamic application-specific testsfor wiring are required depending on the appli-cation and required wiring error detection(short-circuit to 24 V DC, cross-talk error onsafety digital outputs, etc.).
SIL2) SIL 3
Fig. 49: Circuit example DX581-S, error detection on the output wire of lamp, valve, etc.1) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion) MTTFd = High; DC =Medium
2) - Max. reachable SIL acc. IEC 61508 (type A components are required)
Error detectionon the outputwire of lamp,valve, etc.
AC500-S safety modules
DX581-S safety digital input/output module > Circuit examples DX581-S
2022/02/04 3ADR025091M0210, 14, en_US 105
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DX581-S
3.8UP
3.9ZP
3.7
3.0T2
3.1
3.2T3
3.3
3.5
3.4
3.6
UP 24VDC 100W 8SDI 8SDOSafety Digital Input 24VDC
Safety Digital Output 24VDC 0.5A
ERR2
4.9ZP
4.2I6
4.0I4
4.1I5
4.3I7
4.4O4
4.5O5
4.6O6
4.7O7
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4O0
2.5O1
2.6O2
2.7O3
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
GND24 VDC
Useracknowledgement
Feedback loop
3~
Motor
K2
K1
L
Safety door contact 2
Safety door contact 1
E-Stop
K1 K2
Fig. 50: Application example with DX581-S
3.4.8 LED status displayTable 7: Status display and its meaningLED Description Color LED = OFF LED = ON LED flashesInputs0 ... 7
Digital input Yellow Input = OFF Input = ON (the inputvoltage is displayedeven if the supplyvoltage is OFF).
-
Channel error Red No channel error Channel error -
Outputs0 ... 7
Digital output Yellow Output = OFF Output = ON -
Channel error Red No channel error Channel error -
UP Process voltage+24 V DC via ter-minal
Green Process supplyvoltage is missing
Process supply voltageis OK
-
Applicationexample
AC500-S safety modulesDX581-S safety digital input/output module > LED status display
2022/02/043ADR025091M0210, 14, en_US106
LED Description Color LED = OFF LED = ON LED flashesPWR +3.3 V voltage
from I/O busGreen +3.3 V I/O bus voltage
is not available+3.3 V I/O bus voltageis available
-
ERR1 Module error indi-cator 1
Red No module error Module error whichleads to a SAFE STOPstate
Module passivationand/or acknowledg-ment request (alter-nating blinking)ERR2 Module error indi-
cator 2Red
3.4.9 Technical data
NOTICE!DX581-S-XC version is available for usage in extreme environmental conditionsÄ Appendix A “System data for AC500-S-XC” on page 376.
Additional technical data is available in ABB PLC catalog at www.abb.com/plc.
Data Value UnitConnections terminals 1.8 ... 4.8 (UP) +24 V
Connections terminals 1.9 ... 4.9 (ZP) 0 V
Rated value (-15 %, +20 %, without ripple) 24 V DC
Max. ripple 5 %
Protection against reversed voltage yes
Rated protection fuse for UP (fast) 10 A
Electrical isolation per module
Mechanisms in which I/Os are processed periodicallyrefreshed
Current consumption from UP at normal operation with+ 24 V DC (for module electronics)
0.18 A
Inrush current from UP at 30 V (at power up) 0.1 A2s
Inrush current from UP at 24 V (at power up) 0.06 A2s
NOTICE!All DX581-S channels (including test pulse outputs) are protected againstreverse polarity, reverse supply, short circuit and continuous overvoltage up to30 V DC.
Horizontal or vertical with derating (output load reduced to 50 % at +40 °C per group and withmaximal operating temperature reduced to +40 °C).
The natural convection cooling must not be hindered by cable ducts or other parts in theswitchgear cabinet.
Process supplyvoltage UP
Mounting posi-tion
Cooling
AC500-S safety modules
DX581-S safety digital input/output module > Technical data
2022/02/04 3ADR025091M0210, 14, en_US 107
Data Value UnitDC supply interruptions < 10 ms
Time between 2 DC supply interruptions, PS2 > 1 s
Data Value UnitOperating temperature* 0 ... +60 °C
Storage temperature -40 ... +85 °C
Transport temperature -40 ... +85 °C
Humidity without condensation max. 95 %
Operating air pressure > 800 hPa
Storage air pressure > 660 hPa
Operating altitude < 2000 m above sealevel
Storage altitude < 3500 m above sealevel
* Extended temperature ranges (below 0 °C and above +60 °C) can be supported in specialversions of DX581-S Ä Appendix A “System data for AC500-S-XC” on page 376.
The creepage distances and clearances meet the overvoltage category II, pollution degree 2.
For the supply of modules, power supply units according to PELV/SELV specifications must beused.
For information on electromagnetic compatibility refer to the latest TÜV SÜD Report Ä [1].
Data Value UnitDegree of protection IP 20
Housing according to UL 94
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 3.5 mm
2 ... 15 Hz
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 1 g *
15 ... 150 Hz
Shock test (all three axes), 11 ms half-sinusoidal 15 g
MTBF 73 years
* Higher values on request
Start-up and runtime tests: Program flow control, RAM, CPU, cross-talk, stuck-at-1, etc.
Data Value UnitW x H x D 67.5 x 76 x 62 mm
Weight ~ 130 g
Allowed inter-ruptions ofpower supply,according to EN61131-2
Environmentalconditions
Creepage dis-tances andclearancesPower supplyunits
Electromagneticcompatibility
Mechanicalproperties
Self-test anddiagnostic func-tionsDimensions,weight
AC500-S safety modulesDX581-S safety digital input/output module > Technical data
2022/02/043ADR025091M0210, 14, en_US108
CE, cUL (further certifications at www.abb.com/plc)
3.4.9.1 Technical data of safety digital inputs
Data Value UnitNumber of input channels per module 8
Terminals of the channels I0 to I3 2.0 ... 2.3
Terminals of the channels I4 to I7 4.0 ... 4.3
Terminals of reference potential for all inputs (minuspole of the process supply voltage, signal name ZP)
1.9 ... 4.9
Electrical isolation from the rest of the module (I/O bus) Yes
Input type acc. to EN 61131-2 Type 1
Input delay (0 ➔ 1 or 1 ➔ 0), configurable 1 ... 500 ms
One yellow LED per channel, the LED is ON when the input signal is high (signal 1).
Data Value UnitInput signal voltage 24 V DC
Signal 0 -3 ... +5 V
Undefined signal > +5 ... < +15 V
Signal 1 +15 ... +30 V
Data Value UnitInput voltage +24 V, typically 7 mA
Input voltage +5 V > 1 mA
Input voltage +15 V > 4 mA
Input voltage +30 V < 8 mA
Data Value UnitMax. cable length, shielded 1000 m
Max. cable length, unshielded 600 m
3.4.9.2 Technical data of safety digital outputs
DANGER!Exceeding the permitted process or supply voltage range (< -35 V DC or >+35 V DC) could lead to unrecoverable damage of the system.
Certifications
Input signalindication
Signal voltage
Input currentper channel
Cable length
AC500-S safety modules
DX581-S safety digital input/output module > Technical data
2022/02/04 3ADR025091M0210, 14, en_US 109
Data Value UnitNumber of channels per module (transistor outputs) 8
Terminals of reference potential for all outputs (minuspole of the process supply voltage, signal name ZP)
1.9 ... 4.9
Terminals of common power supply voltage for all out-puts (plus pole of the process supply voltage, signalname UP)
1.8 ... 4.8
Output voltage for signal 1 UP - 3 V
Output delay (0 ➔ 1 or 1 ➔ 0): 5 mA output current 1 ms
Output delay (0 ➔ 1 or 1 ➔ 0): 500 mA output current 4 ms
Ability to switch a capacitive load of at least 300 µF
Ability to switch an inductive load of at least 1 H
Data Value UnitRated value, per channel at UP = 24 V 500 mA
Maximum value (all channels together) 4 A
Leakage current with signal 0 < 0.5 mA
Short-circuit proof/overload proof yes
Overload message (channel passivation), I > 0.7 A yes
Output current limitation (automatic reactivation aftershort-circuit/overload)
yes
Resistance to feedback against 24 V signal connection yes
Demagnetization by internal suppressor diodes whenswitching off inductive loads
yes
Rated protection fuse on UP 4.5 A
Data Value UnitMax. cable length, shielded 1000 m
Max. cable length, unshielded 600 m
3.4.9.3 Technical data of non-safety test pulse outputs
Data Value UnitNumber of test pulse channels per module (transistortest pulse outputs)
4
Terminals of the channels T0, T1 1.0, 1.2
Terminals of the channels T2, T3 3.0, 3.2
Terminals of reference potential for all test pulse outputs(minus pole of the process supply voltage, signal nameZP)
1.9 ... 4.9
Terminals of common power supply voltage for all out-puts (plus pole of the process supply voltage, signalname UP)
1.8 ... 4.8
Output voltage for signal 1 UP - 0.8 V
Output current
Cable length
AC500-S safety modulesDX581-S safety digital input/output module > Technical data
2022/02/043ADR025091M0210, 14, en_US110
Data Value UnitLength of test pulse 0 phase 1 ms
Data Value UnitRated value, per channel 10 mA
Maximum value (all channels together) 40 mA
Short-circuit proof / overload proof yes
Output current limitation 65 mA
Resistance to feedback against 24 V signal connection yes
Data Value UnitMax. cable length, shielded 1000 m
Max. cable length, unshielded 600 m
3.4.10 Ordering dataType Description Part no.DX581-S Safety digital I/O module
8SDI/SDO1SAP 284 100 R0001
DX581-S-XC Safety digital I/O module 8SDI/SDO, extreme conditions
1SAP 484 100 R0001
Output current
Cable length
AC500-S safety modules
DX581-S safety digital input/output module > Ordering data
2022/02/04 3ADR025091M0210, 14, en_US 111
3.5 AI581-S safety analog input module
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
1 2 3 4
5 6
7
9
8
4
7
Fig. 51: Safety analog input module AI581-S, plugged on terminal unit TU582-S
1 I/O bus2 System LED3 Allocation terminal no. - signal name4 4 yellow/red LEDs signal status I0 ... I1/I2 ... I35 2 rotary switches for PROFIsafe address6 Green LED for process voltage UP7 Red LEDs to display module errors8 Label (TA525)9 I/O terminal unit (TU582-S)
3.5.1 PurposeSafety analog input module AI581-S can be used as a remote expansion module at CI501-PNIO, CI502-PNIO, CI504-PNIO and CI506-PNIO PROFINET modules or locally at AC500CPUs for up to SIL 3 (IEC 61508), max. SIL 3 (IEC 62061) and PL e (ISO 13849-1) safetyapplications.
NOTICE!SIL (IEC 61508), max. SIL (IEC 62061) and PL (ISO 13849-1) reachable inyour safety application depend on the wiring of your sensors to AI581-S moduleÄ Chapter 3.5.7 “Circuit examples AI581-S” on page 119.
AI581-S contains 4 safety current analog inputs separated in two groups (2.0 ... 2.2 and4.0 ... 4.2) with no potential separation between the channels.
Elements of themodule
AC500-S safety modulesAI581-S safety analog input module > Purpose
2022/02/043ADR025091M0210, 14, en_US112
The inputs are not electrically isolated from the other electronic circuitry of the module.
3.5.2 FunctionalityAnalog inputs 4 (0 ... 20 mA or 4 ... 20 mA)
LED displays for signal status, module errors, channel errors and supply voltage
Internal power supply through the I/O bus interface
External power supply via the terminals ZP and UP (process voltage 24 V DC)
Self-tests and diagnostic functions (both start-up and runtime), like CPU and RAM tests, pro-gram flow control and cross-talk tests, etc. are implemented in AI581-S according to IEC 61508SIL 3 requirements.
NOTICE!Only F_Dest_Add is used for PROFIsafe F-Device identification in AI581-S.
AI581-S contains 4 safety analog input channels with the following features:● 14 bit resolution.● Checking of process power supply (diagnostic message is sent from the safety I/O module
to the CPU informing about the lack of process power supply for the given safety I/Omodule). This function is a non-safety one and is not related to the internal safety-relevantover- and undervoltage detection.
● Noise rejection 50 Hz or 60 Hz.● 1 channel (0 ... 20 mA), 1 channel (4 ... 20 mA) or 2 channel (4 ... 20 mA) modes (minimum
or maximum value can be selected for transfer to safety CPU in 2 channel (4 ... 20 mA)mode; tolerance range 4 ... 12 % can be set for 2 channel mode).
NOTICE!In a 2 channel mode, the lower channel (channels 0/2 ➔ Channel 0, channels1/3 ➔ Channel 1, etc.) transports the aggregated process value, PROFIsafediagnostic bit, acknowledgment request and acknowledge reintegration informa-tion. The higher channel always provides the passivated value "0".
NOTICE!The maximal internal discrepancy time between two internal channel values(1 channel or 2 channel modes) in AI581-S module is 67.5 ms, which is also aninternal worst-case input delay value.The discrepancy time between two channel values (2 channel mode) with theselected supervised tolerance range (4 ... 12 %) is also 67.5 ms.
NOTICE!The analog input channels have built-in hardware low-pass filter of 100 Hz.
AC500-S safety modules
AI581-S safety analog input module > Functionality
2022/02/04 3ADR025091M0210, 14, en_US 113
NOTICE!In case of the overcurrent/undercurrent detected at the safety analog inputchannel, the channel passivation takes place latest after 200 ms. The channelremains passivated for 30 s and then the check is performed if the overcurrent/undercurrent still present or not. If the overcurrent/undercurrent has gone, thenreintegration request signal for the given channel is set to TRUE to allowchannel reintegration.
The following table shows the mapping of safety CPU process values to the values in mA fromAI581-S module. Two modes are defined for an analog input 0 ... 20 mA and 4 ... 20 mA.
NOTICE!Both overflow and overrange represent an overcurrent. Both underflow andunderrange represent an undercurrent.Only in case of overflow and underflow, the analog channels are passivated and"0" process values are delivered to the safety CPU.
Range 0 ... 20 mA 4 ... 20 mA Digital value (dec) Digital value (hex) Overflow*
:> 23.519
:> 22.81
32767*:32512*
7FFF*:7F00*
Overrange
23.519:20.000723
22.81:20.000578
32511:27649
7EFF:6C01
Nominalrange
20 : 0
20:16:4
27648:20736:0
6C00:5100:0000
Underrange
-0.000723:-1.481
3.999421:1.185
0 ... 20 mA 4 ... 20 mA 0 ... 20 mA 4 ... 20 mA-1:-2048
-1:-4864
FFFF:F800
FFFF:ED00
Underflow*
< -1.481
< 1.185
0 ... 20 mA 4 ... 20 mA 0 ... 20 mA 4 ... 20 mA-2049*:-32768*
-4865*:-32678*
F7FF*:8000*
ECFF*:8000*
* In these cases, the analog channels are passivated and "0" process values are delivered tothe safety CPU.
AC500-S safety modulesAI581-S safety analog input module > Functionality
2022/02/043ADR025091M0210, 14, en_US114
3.5.3 Mounting, dimensions and electrical connectionThe input modules can be plugged only on spring-type TU582-S I/O terminal unit. The uniquemechanical coding on I/O terminal units prevents a potential mistake of placing the non-safetyI/O module on safety I/O terminal unit and the other way around. Basic information on systemassembly is shown here. Detailed information can be found in Ä [3].Installation and maintenance have to be performed according to the technical rules, codes andrelevant standards, e.g. EN 60204 part 1, by skilled electricians only.
DANGER!Hot plug and hot swap of energized modules is not permitted. All power sources(supply and process voltages) must be switched off while working with safetymodules.
Fig. 52: Assembly instructions
1. Put the module on the terminal unit.
ð The module clicks in.
2. Then press the module with a force of at least 100 N into the terminal unit to achieveproper electrical contact.
Assembly ofAI581-S
AC500-S safety modules
AI581-S safety analog input module > Mounting, dimensions and electrical connection
2022/02/04 3ADR025091M0210, 14, en_US 115
Fig. 53: Disassembly instructions
Press above and below, then remove the module.
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
(2.27)57.7
59 (2
.32)
70.5
(2.7
8)
135
(5.3
1)
135 mm(5.31) “
67.5 (2.66)28
21 (0.83)54 (2.13)
75 (2.95)
59 (2
.32)
70.5
(2.7
8)
135
(5.3
1)
76 (2
.99)
77 (3.03)
84.5 (3.33)
DIN rail 15 mmDIN rail 7.5 mm
135 mm(5.31) “
(1.10)
Fig. 54: Dimensions of AI581-S safety I/O module
NOTICE!The same TU582-S is used by all AC500-S safety I/O modules. If TU582-S iswired for DX581-S module with safety digital outputs and DI581-S or AI581-Smodules are occasionally placed on this terminal unit, under no circumstances itis possible that safety digital output clamps on TU582-S become energized dueto a wrongly placed DI581-S and AI581-S safety I/O modules.
The electrical connection of the I/O channels is carried out using 40 terminals of the I/O terminalunit. I/O modules can be replaced without re-wiring the terminal units.The terminals 1.8, 2.8, 3.8 and 4.8 as well as 1.9, 2.9, 3.9 and 4.9 are electrically intercon-nected within the I/O terminal unit and have always the same assignment, independent of theinserted module:● Terminals 1.8, 2.8, 3.8 and 4.8: Process voltage UP = +24 V DC● Terminals 1.9, 2.9, 3.9 and 4.9: Process voltage ZP = 0 VThe assignment of the other terminals:
Disassembly ofAI581-S
Dimensions
Electrical con-nection
AC500-S safety modulesAI581-S safety analog input module > Mounting, dimensions and electrical connection
2022/02/043ADR025091M0210, 14, en_US116
Terminals Signal Meaning1.0, 1.2, 3.0, 3.2 I0-, I1-, I2-, I3- Negative connectors of 4 analog
inputs
2.0, 2.2, 4.0, 4.2 I0+, I1+, I2+, I3+ Positive connectors of 4 analoginputs
1.1, 1.3, 3.1, 3.3 FE Functional earth
1.8, 2.8, 3.8, 4.8 UP Process power supply +24 V DC
1.9, 2.9, 3.9, 4.9 ZP Central process earth
1.4 ... 1.7, 2.1, 2.3 ... 2.7, 3.4 ... 3.7,4.1, 4.3 ... 4.7
Free Not used
NOTICE!The process voltage must be included in the earthing concept of the controlsystem (e.g., earthing the minus pole).
NOTICE!The minus poles of the analog inputs are electrically connected to each other.They form an "analog ground" signal for the module.Because of their common reference potential, analog current inputs cannotbe circuited in series, neither within the module nor with channels of othermodules.
NOTICE!There is no electrical isolation between the analog circuitry and ZP/UP. There-fore, analog sensors must be electrically isolated in order to avoid loops via theearth potential or supply voltage.
NOTICE!Analog signals are always laid in shielded cables. The cable shields are earthedat both ends of the cables. In order to avoid unacceptable potential differencesbetween different parts of the installation, low resistance equipotential bondingconductors must be laid.For simple applications (low disturbances, no high requirement on precision),the shielding can also be omitted.
Examples of electrical connections with AI581-S module and single channels Ix.Examples ofconnections
AC500-S safety modules
AI581-S safety analog input module > Mounting, dimensions and electrical connection
2022/02/04 3ADR025091M0210, 14, en_US 117
+-
+-
+-
+-
I0+
I1+
I2+
I3+
2.0
2.2
4.0
4.23.2I3-
1.0
1.2
3.0
I0-
I1-
I2-
FE 1.1
FE 1.3
FE 3.1
FE 3.3
1.8
1.9
UP +24 V
ZP 0 V
4.8
4.9
3.8
3.9
2.8
2.9
PTCPTC PTCPTC PTCPTC PTCPTC
Fig. 55: Example of electrical connections with AI581-S
NOTICE!The PTC shown in the connection diagram is built-in in AI581-S module.
+–
+–
I0 … I30 … +20 mA
+4 … +20 mA
Fig. 56: Example of single channels with AI581-S
3.5.4 Internal data exchangeInputs (bytes) 9
Outputs (bytes) 1
3.5.5 I/O configurationThe safety analog input module AI581-S does not store configuration data itself. The configura-tion data is stored on the safety and non-safety CPUs.
3.5.6 ParameterizationThe arrangement of the parameter data is performed by your system configuration softwareAutomation Builder. ABB GSDML file for PROFINET devices can be used to configure AI581-Sparameters in 3rd party PROFINET F-Host systems.The parameter setting directly influences the functionality of modules and reachable SIL(IEC 61508), max. SIL (IEC 62061) and PL (ISO 13849-1).
AC500-S safety modulesAI581-S safety analog input module > Parameterization
2022/02/043ADR025091M0210, 14, en_US118
No. Name Values Default1 Check supply "On", "Off" "On"
2 Configuration "Not used", "1 channel (0 ... 20 mA)", "1 channel(4 ... 20 mA)", "2 channel (4 ... 20 mA)"
"Not used"
3 Noise rejection "50 Hz", "60 Hz", "None" "50 Hz"
4 Tolerance range (usedonly for "2 channel(4 ... 20 mA)" mode)
"4 %", "5 %", "6 %", "7 %", "8 %", "9 %", "10 %","11 %", "12 %"
"4 %"
5 Used value (min/max)(used only for "2channel (4 ... 20 mA)"mode)
"Minimum", "Maximum" "Minimum"
3.5.7 Circuit examples AI581-SExamples of electrical connections and reachable SIL (IEC 61508), max. SIL (IEC 62061) andPL (ISO 13849-1) with AI581-S module are presented below.
NOTICE!Whenever DC = High is used in the circuit examples with safety analog inputs,the following measure from ISO 13849-1 Ä [9] is used with AI581-S module:Cross monitoring of input signals and intermediate results within the logic (L),and temporal and logical software monitor of the program flow and detection ofstatic faults and short circuits (for multiple I/O).Whenever DC = Medium is used in the circuit examples with safety analoginputs, any of the measures for input devices with DC ³ 90 % can be used fromISO 13849-1 Ä [9].
AC500-S safety modules
AI581-S safety analog input module > Circuit examples AI581-S
2022/02/04 3ADR025091M0210, 14, en_US 119
Max. SIL / PL 1), 2) Max. SIL 1 / PL c
SIL3) SIL 1
32
A
19
0 8F
76
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
Sensor0 ... 20 mA
24VDCGND
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
Fig. 57: Circuit example AI581-S, analog sensor (0 ... 20 mA)1) - MTTFd = High, DC = Low2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required) ➔ without error
exclusion (you can reach higher levels up to SIL 3 with error exclusion)
Analog sensor(0 ... 20 mA)
AC500-S safety modulesAI581-S safety analog input module > Circuit examples AI581-S
2022/02/043ADR025091M0210, 14, en_US120
2-channel evaluation In AI581-S module
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
4.9ZP
Sensor0...20mA
24VDCGND
Sensor0...20mA
Fig. 58: Circuit example AI581-S, 2 analog sensors (0 ... 20 mA)1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2 analog sen-sors(0 ... 20 mA)
AC500-S safety modules
AI581-S safety analog input module > Circuit examples AI581-S
2022/02/04 3ADR025091M0210, 14, en_US 121
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 2
32
A
19
0 8F
76
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.9ZP
Sensor4 ... 20mA
24VDCGND
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
Fig. 59: Circuit example AI581-S, analog sensor (4 ... 20 mA)1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required) ➔ without error
exclusion (you can reach higher levels up to SIL 3 with error exclusion)
Analog sensor(4 ... 20 mA)
AC500-S safety modulesAI581-S safety analog input module > Circuit examples AI581-S
2022/02/043ADR025091M0210, 14, en_US122
2-channel evaluation In AI581-S module
Max. SIL / PL 1), 2) Max. SIL 3 / PL e
SIL3) SIL 3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
AI581-S
UP 24VDC 2W 4SAISafety Analog Input
3.8UP
3.9ZP
3.4
3.7
3.0 I2-
3.1FE
3.2 I3-
3.3FE
3.5
3.6
ERR1
2.9ZP
2.8UP
2.3
2.4
2.5
2.1
2.7
2.6
2.2I1+
2.0I0+
ERR2
4.8UP
4.7
4.2I3+
4.0I2+
4.6
4.5
4.4
4.3
4.1
PWR
1.9ZP
1.8UP
1.7
1.4
1.0 I0-
1.2 I1-
1.3FE
1.1FE
1.5
1.6
ADDRx10H
ADDRx01H
C
43
B
2
A
19
0 8F
7
E
6
D
5
C
43
B
2
A
19
0 8F
7
E
6
D
5
4.9ZP
Sensor4...20mA
24VDCGND
Sensor4...20mA
Fig. 60: Circuit example AI581-S, 2 analog sensors (4 ... 20 mA)1) - MTTFd = High, DC = High2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
2 analog sen-sors(4 ... 20 mA)
AC500-S safety modules
AI581-S safety analog input module > Circuit examples AI581-S
2022/02/04 3ADR025091M0210, 14, en_US 123
Max. SIL / PL 1), 2) Max. SIL 2 / PL d
SIL3) SIL 2
Fig. 61: Circuit example AI581-S, transmitter (4 ... 20 mA)1) - MTTFd = High, DC = Medium2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1) ➔ without error exclusion (you
can reach higher levels up to PL e, max. SIL 3 with error exclusion)3) - Max. reachable SIL acc. IEC 61508 (type A components are required) ➔ without error
exclusion (you can reach higher levels up to SIL 3 with error exclusion)
Transmitter(4 ... 20 mA)
AC500-S safety modulesAI581-S safety analog input module > Circuit examples AI581-S
2022/02/043ADR025091M0210, 14, en_US124
2-channel-evaluation In AI581-S module
Max. SIL / PL 1), 2) Max. SIL 3 / PL e
SIL3) SIL 3
Fig. 62: Circuit example AI581-S, 2 transmitters (4 ... 20 mA)1) - MTTFd = High, DC = High2) - Max. SIL (IEC 62061) / max. reachable PL (ISO 13849-1)3) - Max. reachable SIL acc. IEC 61508 (type A components are required)
3.5.8 LED status displayTable 8: Status display and its meaningLED Description Color LED = OFF LED = ON LED flashesInputs0 ... 3
Analog input Yellow Analog input = ca.0 mA
Input = ON (LED lightintensity depends onthe input value)
--
Channel error Red No channel error Channel error --
UP Process voltage+24 V DC via ter-minal
Green Process supplyvoltage is missing
Process supply voltageis OK
--
2 transmitters(4 ... 20 mA)
AC500-S safety modules
AI581-S safety analog input module > LED status display
2022/02/04 3ADR025091M0210, 14, en_US 125
LED Description Color LED = OFF LED = ON LED flashesPWR +3.3 V DC
voltage from I/Obus
Green +3.3 V DC I/O busvoltage is not avail-able
+3.3 V DC I/O busvoltage is available
--
ERR1 Module error indi-cator 1
Red No module error Module error whichleads to a SAFE STOPstate
Module passivationand/or acknowledg-ment request (alter-nating blinking)ERR2 Module error indi-
cator 2Red
3.5.9 Technical data
NOTICE!AI581-S-XC version is available for usage in extreme environmental conditionsÄ Appendix A “System data for AC500-S-XC” on page 376.
Additional technical data is available in ABB PLC catalog at www.abb.com/plc.
Data Value UnitConnections terminals 1.8 ... 4.8 (UP) +24 V
Connections terminals 1.9 ... 4.9 (ZP) 0 V
Rated value (-15 %, +20 %, without ripple) 24 V DC
Max. ripple 5 %
Protection against reversed voltage yes
Rated protection fuse for UP (fast) 10 A
Electrical isolation per module
Mechanisms in which I/Os are processed periodicallyrefreshed
Conversion error of the analog values caused by non-linearity, adjustment error at factory and resolutionwithin the normal range, typically
±1 %
Conversion error of the analog values caused by non-linearity, adjustment error at factory and resolutionwithin the normal range, max.
±1.5 %
Maximum signal frequency 70 Hz
Current consumption from UP at normal operation with+ 24 V DC (for module electronics)
0.18 A
Inrush current from UP at 30 V (at power up) 0.1 A²s
Inrush current from UP at 24 V (at power up) 0.06 A²s
Horizontal or vertical with derating (maximal operating temperature reduced to +40 °C).
Data Value UnitConductor cross section of analog cables > 0.14 mm²
Max. analog cable length, shielded 100 m
Process supplyvoltage UP
Mounting posi-tion
Cable length
AC500-S safety modulesAI581-S safety analog input module > Technical data
2022/02/043ADR025091M0210, 14, en_US126
The natural convection cooling must not be hindered by cable ducts or other parts in theswitchgear cabinet.
Data Value UnitDC supply interruptions < 10 ms
Time between 2 DC supply interruptions, PS2 > 1 s
Data Value UnitOperating temperature* 0 ... +60 °C
Storage temperature -40 ... +85 °C
Transport temperature -40 ... +85 °C
Humidity without condensation max. 95 %
Operating air pressure > 800 hPa
Storage air pressure > 660 hPa
Operating altitude < 2000 m above sealevel
Storage altitude < 3500 m above sealevel
* Extended temperature ranges (below 0 °C and above +60 °C) can be supported in specialversions of AI581-S Ä Appendix A “System data for AC500-S-XC” on page 376.
The creepage distances and clearances meet the overvoltage category II, pollution degree 2.
For the supply of modules, power supply units according to PELV/SELV specifications must beused.
For information on electromagnetic compatibility refer to the latest TÜV SÜD Report Ä [1].
Data Value UnitDegree of protection IP 20
Housing according to UL 94
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 3.5 mm
2 ... 15 Hz
Vibration resistance acc. to EN 61131-2 (all three axes),continuous 1 g *
15 ...150 Hz
Shock test (all three axes), 11 ms half-sinusoidal 15 g
MTBF 102 years
* Higher values on request
Start-up and runtime tests: Program flow control, RAM, CPU, ADC, etc.
Cooling
Allowed inter-ruptions ofpower supply,according to EN61131-2
Environmentalconditions
Creepage dis-tances andclearancesPower supplyunits
Electromagneticcompatibility
Mechanicalproperties
Self-test anddiagnostic func-tions
AC500-S safety modules
AI581-S safety analog input module > Technical data
2022/02/04 3ADR025091M0210, 14, en_US 127
Data Value UnitW x H x D 67.5 x 76 x 62 mm
Weight (without terminal unit) ~ 130 g
CE, cUL (further certifications at www.abb.com/plc)
3.5.9.1 Technical data of safety analog inputs
DANGER!Exceeding the permitted process or supply voltage range (< -35 V DC or >+35 V DC) could lead to unrecoverable damage of the system.
Data Value UnitNumber of channels per module 4
Configurability, 1 channel mode 0 ... 20 mA
Configurability, 1 channel mode 4 ... 20 mA
Configurability, 2 channel mode 4 ... 20 mA
Channel input resistance, in active mode ~ 125 Ω
Channel input resistance, in inactive mode ~ 15 kΩ
2 groups of 2 channels each.
Data Value UnitTime constant of the input filter 1 ms
Conversion cycle 0.33 ms
Resolution 14 bits
Temperature coefficient ± % of full scale (0 ... 20 mA) ±0.005 %/K
Maximum error at +25 °C ± % of full scale (0 ... 20 mA) ± 0.25 %
Maximum error over full temperature range ± % of fullscale (0 ... 20 mA)
± 0.25 %
Value of a LSB (least significant bit) 2.03 µA
Maximum permanent allowed overload (no damage)(self-protected), voltage
32 V DC
Maximum permanent allowed overload (no damage)(self-protected), current
24 mA
Non-linearity (of full scale) ±0.05 %
Sample repetition time 3.3 ms
Input filter characteristics - first order, filter time constant 1 ms
Transition frequency 160 Hz
Overvoltage protection Yes
Dimensions,weight
Certifications
Distribution ofchannels intogroups
AC500-S safety modulesAI581-S safety analog input module > Technical data
2022/02/043ADR025091M0210, 14, en_US128
Against internal supply and other modules.
One LED per channel.
Data Value UnitDeviation during radiated and conducted disturbance < 0.1 %
Deviation during burst test max. 0.33 %
Deviation during surge test up to 50 %
Deviation during electrostatic discharge no deviation
Data ValueType of analog input protection suppressor diode
Data Value UnitMax. cable length, shielded 100 m
3.5.10 Ordering dataType Description Part no.AI581-S Safety analog input module 4SAI 1SAP 282 000 R0001
AI581-S-XC Safety analog input module 4SAI,extreme conditions
1SAP 482 000 R0001
Electrical isola-tion
Input signalindication
Maximum tem-porary deviationduring specifiedelectrical inter-ference test ± %of full scale
Analog inputprotection
Cable length
AC500-S safety modules
AI581-S safety analog input module > Ordering data
2022/02/04 3ADR025091M0210, 14, en_US 129
3.6 TU582-S safety I/O terminal unit
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1 2
3
4
5
6
4
5
Fig. 63: Safety I/O terminal unit TU582-S (spring-type) for safety I/O expansion modules
1 I/O bus (10-pole, male)2 I/O bus (10-pole, female)3 Slot for I/O module4 With a screwdriver, inserted in this place, adjacent terminal units can be shoved from each
other.5 Holes for wall mounting6 40 spring terminals (signals and process voltage)
3.6.1 FunctionalityThe I/O terminal units TU582-S (with spring-type terminals) is specifically designed for use withAC500-S safety I/O modules AI581-S, DI581-S and DX581-S.The safety I/O modules plug into the I/O terminal unit. When properly seated, they are securedwith two mechanical locks. All the electrical connections are made through the terminal unit,which allows removal and replacement of the I/O modules without disturbing the wiring at theterminal unit.The terminals 1.8 to 4.8 and 1.9 to 4.9 are electrically interconnected within the I/O terminal unitand have always the same assignment, independent of the inserted module:● Terminals 1.8 to 4.8: Process voltage UP = +24 V DC● Terminals 1.9 to 4.9: Process voltage ZP = 0 V
The assignment of the other terminals is dependent on the inserted safety I/Omodule Ä DI581-S Ä DX581-S Ä AI581-S.
Elements of themodule
AC500-S safety modulesTU582-S safety I/O terminal unit > Functionality
2022/02/043ADR025091M0210, 14, en_US130
3.6.2 Mounting, dimensions and electrical connectionThe safety I/O modules can be plugged only on spring-type TU582-S I/O terminal unit. Theunique mechanical coding on I/O terminal units prevents a potential mistake of placing thenon-safety I/O module on safety I/O terminal unit and the other way around. Basic informationon system assembly is shown here. Detailed information can be found in Ä [3].Installation and maintenance have to be performed according to the technical rules, codes andrelevant standards, e.g. EN 60204 part 1, by skilled electricians only.
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
Fig. 64: Assembly instruction for mounting on a DIN rail
Put the terminal unit on the DIN rail above and then snap-in below.
TA526
The insertion of the accessories TA526 for wall mounting is essential.1. Snap TA526 on the rear side of the terminal unit like DIN rails.
TA526
Assembly ofTU582-S on DINrail
Assembly ofTU582-S withscrews
AC500-S safety modules
TU582-S safety I/O terminal unit > Mounting, dimensions and electrical connection
2022/02/04 3ADR025091M0210, 14, en_US 131
2. Fasten terminal unit with 2 M4 screws (max. 1.2 Nm).
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1. Shove the terminal units from each other.
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
2. Pull down the terminal unit and remove it.
Disassembly ofTU582-S
AC500-S safety modulesTU582-S safety I/O terminal unit > Mounting, dimensions and electrical connection
2022/02/043ADR025091M0210, 14, en_US132
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
DI581-S
UP24VDC 5W 16SDISafety Digital Input 24VDC
3.8UP
3.9ZP
3.7
3.0T4
3.1
3.2T5
3.3
3.5
3.4T6
3.6T6
ERR2
4.9ZP
4.2I10
4.0I8
4.1I9
4.3I11
4.4I12
4.5I13
4.6I14
4.7I15
4.8UP
ERR1
2.9ZP
2.2I2
2.0I0
2.1I1
2.3I3
2.4I4
2.5I5
2.6I6
2.7I7
2.8UP
PWR
1.9ZP
1.8UP
1.7
1.0T0
1.2T1
1.3
1.1
1.5
1.4T2
1.6T3
ADDRx01H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
ADDRx10H
4
C
3
B
2
A
19
0 8F
7
E
6
D
5
(2.27)57.7
59 (2
.32)
70.5
(2.7
8)
135
(5.3
1)
135 mm(5.31) “
67.5 (2.66)28
21 (0.83)54 (2.13)
75 (2.95)59
(2.3
2)
70.5
(2.7
8)
135
(5.3
1)
76 (2
.99)
77 (3.03)
84.5 (3.33)
DIN rail 15 mmDIN rail 7.5 mm
135 mm(5.31) “
(1.10)
Fig. 65: Dimensions of TU582-S safety I/O terminal unit
1.5
1.6
1.7
1.8
1.9
8-9 mm
min/max 0.08/2.5 mm2 AWG 22-14
O 3.5 mm
Fig. 66: Spring terminal (screw-driver opens terminal)
3.6.3 Technical data
NOTICE!TU582-S-XC version is available for usage in extreme environmental conditionsÄ Appendix A “System data for AC500-S-XC” on page 376.
Additional technical data is available in ABB PLC catalog at www.abb.com/plc.
Front terminal, conductor connection vertically with respect to the printed circuit board.
Data Value UnitNumber of channels per module 32
Rated voltage 24 V DC
Max. permitted total current (between the terminals1.8 ... 4.8 and 1.9 ... 4.9)
10 A
4 groups of 8 channels each (1.0 ... 1.7, 2.0 ... 2.7, 3.0 ... 3.7, 4.0 ... 4.7), the allocation of thechannels is given by the inserted I/O expansion module.
Dimensions
Type
Distribution ofchannels intogroups
AC500-S safety modules
TU582-S safety I/O terminal unit > Technical data
2022/02/04 3ADR025091M0210, 14, en_US 133
Horizontal or vertical.
Direct connection to the earthed DIN rail or via the screws with wall mounting.
Data Value UnitConductor cross section, solid 0.08 ... 2.5 mm²
Conductor cross section, flexible 0.08 ... 2.5 mm²
Conductor cross section, with wire-end ferrule 0.25 ... 1.5 mm²
Stripped conductor end, minimum 5 mm
Stripped conductor end 7 mm
Data Value UnitDegree of protection IP 20
MTBF 2757 years
Weight ~ 200 g
3.6.4 Ordering dataType Description Part no.TU582-S Safety I/O terminal unit, 24V DC 1SAP 281 200 R0001
TU582-S-XC Safety I/O terminal unit, 24V DC,extreme conditions
1SAP 481 200 R0001
Mounting posi-tion
Earthing
Conductor
Mechanicalproperties
AC500-S safety modulesTU582-S safety I/O terminal unit > Ordering data
2022/02/043ADR025091M0210, 14, en_US134
—4 Configuration and programming4.1 Overview4.1.1 Automation Builder
The engineering suite Automation Builder is a platform for configuration and programming ofIEC 61131 related applications.For configuring and programming safety applications, you must use Automation Builder withinstalled and licensed safety engineering with its safety components (AC500-S ProgrammingTool and safety configurator).The safety concept for safety components in Automation Builder software assures that theprogramming system works correctly for implementing safety functions in AC500-S, meaningthat programming system errors can be detected. The communication between AC500-S Pro-gramming Tool and the safety CPU is not a part of the safety loop, but is still subject to checks,for example, a CRC is used during the download of a project in order to verify that the dataare transferred correctly and that there is no communication error. The user is responsible toadditionally check the version and functionality of his project as well as the proper configurationof safety and non-safety modules.The Automation Builder safety components allow creating safety applications up to SIL 3(IEC 61508, IEC 62061 and IEC 61511) / PL e (ISO 13849) safety integrity level.The compatibility of Automation Builder version is dependent on the used safety and non-safetyCPUs Ä Appendix B.1 “Compatibility with AC500 V2 non-safety CPU” on page 382 Ä AppendixC.1 “Compatibility with AC500 V3 non-safety CPUs” on page 400.
4.1.2 Safety engineeringYou can easily check your installed and licensed safety engineering version and its safetycomponents. This function is available as of Automation Builder 2.3.0.
Automation Builder is open.Go to menu “Help è About è Safety Version Information”.
Fig. 67: Information on safety engineering and safety components
If a safety engineering version and the safety components versions are shown, this ensures thatyou use released and assessed safety components.The safety components are released independently from Automation Builder releases. Afterinstallation of Automation Builder 2.3.0 or higher, the user has to check the safety engineeringversion Ä Chapter 4.2 “Workflow” on page 136.
Configuration and programmingOverview > Safety engineering
2022/02/04 3ADR025091M0210, 14, en_US 135
NOTICE!If no safety engineering and no safety components are shown, redo theAutomation Builder installation once again and make sure you have activatedthe appropriate license. If the error persists, contact ABB technical support.
4.1.3 Safety measuresA complete check of program logic and configuration must be performed to verify that logiccorrectly and fully addresses the functional and safety requirements in your safety applicationspecification. Each time you make a modification, re-check modified project data and otherrelevant information.
DANGER!For the initial start-up of a safety CPU or after a modification of the applicationprogram or configuration, the safety of the entire system must be checked by acomplete functional test, which includes also the check of the correct coding ofthe safety application based on the functional specification.
4.1.4 Protection against unintended modificationsProtection mechanisms are integrated in the safety CPU and in Automation Builder with safetyfeatures to prevent unintentional or unauthorized modifications to the safety system:● A modification of the safety application program generates a new boot project CRC version
number.● The user must be logged in to the safety CPU to access its operating options.● Requirements of safety and other relevant application standards regarding protection
against manipulations must be observed. The authorization of employees and the neces-sary protection measures are the responsibility of the operator in charge.
Any unauthorized access to safety CPU and safety program can be protected by severalpasswords Ä Chapter 4.3.3 “Creation of new project and user management” on page 137.
4.2 WorkflowThe engineering workflow presented in this chapter describes only the steps needed to instan-tiate, configure and program safety modules and those non-safety modules which are a partof the "black channel" Ä [2] in the safe communication part. All other non-safety modules areseparately covered in Ä [3]. For more details on these steps refer to Ä Chapter 4.3 “Systemconfiguration and programming” on page 137.1. Install Automation Builder, as described in the installation guide.2. Activate a license.3. As of Automation Builder 2.3.0: Check that the safety engineering and the safety compo-
nents are available Ä Chapter 4.1.2 “Safety engineering” on page 135.4. Create a new project and configure user management to limit access to safety modules
and their configuration to safety personnel only.5. Install GSDML files to be able to configure 3rd party PROFIsafe F-Devices (optional step).6. Instantiate and configure safety modules and non-safety modules. Define variable names
in accordance to the safety programming guidelines Ä Chapter 4.3.5 “Instantiation andconfiguration of safety modules / definition of variable names” on page 140.
AC500-S systemconfigurationand program-ming workflow
Configuration and programmingWorkflow
2022/02/043ADR025091M0210, 14, en_US136
7. Write your safety application program and pay attention to system start-up procedure.8. Check your program and system configuration. Use the SCA tool for static code analysis
of your program Ä Chapter 4.5 “Safety code analysis tool” on page 191. Follow theprocedures for checking your configuration Ä Chapter 4.3.7 “Checking of program andsystem configuration” on page 167.
4.3 System configuration and programmingIn this chapter, we provide a step-by-step explanation on how to configure and programAC500-S safety PLC.
4.3.1 InstallationInstall Automation Builder, as described in its installation guide.
4.3.2 License activation1. Order DM220-FSE or DM221-FSE-NW add-on with part numbers 1SAS010020R0102 and
1SAS010021R0102.2. Activate license on your PC following license activation instructions.
1. Order PS501-S license with part number 1SAP198000R0001.2. Activate license on your PC following license activation instructions.
4.3.3 Creation of new project and user managementCreate a new project and configure user management to permit access to safety modules andtheir configuration to safety personnel only.1. Use “New project...” menu item in Automation Builder to create a new project.2. Select a non-safety AC500 CPU in the menu. Make sure that you select the right
ones supporting safety CPUs Ä Appendix B.1 “Compatibility with AC500 V2 non-safetyCPU” on page 382 Ä Appendix C.1 “Compatibility with AC500 V3 non-safety CPUs”on page 400.
NOTICE!Pay attention to non-safety CPU settings Ä Appendix B.3 “AC500 V2non-safety CPU parameters configuration” on page 391 Ä Appendix C.3“AC500 V3 non-safety CPU parameters configuration” on page 406.
3. To create new users and maintain existing ones, go to “Project è Project Settings...”.
NOTICE!In all newly created Automation Builder projects, there is a default user"Owner" with an empty password. This is a project administrator. Theproject administrator is responsible to create a new password for user"Owner" and, in addition, create dedicated safety and non-safety usersbased on your project organization demands.
AutomationBuilder 2.0.2 (orhigher)
AutomationBuilder up to1.2.4
Configuration and programming
System configuration and programming > Creation of new project and user management
2022/02/04 3ADR025091M0210, 14, en_US 137
Only members of safety group are allowed to modify safety modules, change their configuration,etc. By default, no users without proper log-in and access rights can access safety modules.Access to safety CPU and safety program can be protected by three passwords.● Password for the safety CPU● Password for the safety program in AC500-S Programming Tool
– max. 200 characters– allowed characters: (A-Z) (a-z) (0-9) Ä Ö Ü ä ö ü ß # § % ° ^ + - & _ ! @ ´ ~ * | ( ) { }
[ ] , ; . : <> = / ' ?● Password for safety modules and their configuration data in Automation Builder with safety
featuresProject administrator is allowed to use all available user management features to find the bestsuitable user setup with appropriate rights Ä [3].
DANGER!It is the responsibility of project administrator to setup a proper user manage-ment for the given safety application project to avoid unauthorized access tosafety modules.Passwords for users with safety group membership shall be properly selected(at least 8 symbols are recommended with a combination of numbers andletters). An access to passwords must be strictly controlled.Make sure that you set “Deny” permission for proper users and groups (e.g.,Everyone) through menu “Project è User Management è Permissions...” toavoid unauthorized creation of new users in the safety group.
Fig. 68: Permissions for user and user groups
4.3.4 Working with PROFINET/PROFIsafe F-DevicesYou have to install GSDML files to be able to configure 3rd party PROFIsafe F-Devices.In order to use 3rd party F-Devices with AC500-S safety PLC, the safety devices must be on thePROFINET and support the PROFIsafe bus profile Ä [2]. The basis for configuring all (safetyand non-safety) PROFINET devices is the specification of the device in the GSDML file (genericstation description markup language).
Configuration and programmingSystem configuration and programming > Working with PROFINET/PROFIsafe F-Devices
2022/02/043ADR025091M0210, 14, en_US138
I/O device properties are saved in the GSDML file. For PROFINET/PROFIsafe devices, portionsof the GSDML file data are protected by a CRC Ä [2]. GSDML files are supplied by the devicemanufacturers.
NOTICE!Please contact ABB technical support for details on supported GSDML fileversions. It depends on the version of your installed Automation Builder.
1. To install GSDML file, go to “Tools è Device Repository...” menu.
Configuration and programming
System configuration and programming > Working with PROFINET/PROFIsafe F-Devices
2022/02/04 3ADR025091M0210, 14, en_US 139
2. Press [Install...] button to pick-up a GSDML file and install it.
ð After successful installation, new devices are shown in “Device Repository” under“Profinet IO” object.
4.3.5 Instantiation and configuration of safety modules / definition of variable namesInstantiate safety and non-safety modules, which are a part of the "black channel" for safecommunication and do a proper configuration of those. Define variable names for input, outputand PROFIsafe signals in accordance with the safety programming guidelines.1. Select one of four slots available for communication modules and safety CPU and instan-
tiate a safety CPU on it. Note, that the slot number shall be the same as the physical slotnumber on which safety CPU is attached.
2. Double-click on the safety CPU and set its parameters, as needed Ä Chapter 3.1.7“Parameterization” on page 50.
NOTICE!Pay attention to the parameter “Enable debug”. If this parameter is set to“Off”, then no new boot project can be loaded to the safety CPU.
3. To have remote stations in the system, we can instantiate PROFINET IO controller com-munication module CM579-PNIO, for example, in slot 2. Note that PROFINET is the onlybus which is supported for PROFIsafe communication in AC500-S safety PLC.
Configuration and programmingSystem configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/043ADR025091M0210, 14, en_US140
4. Now, select newly created CM579-PNIO module and instantiate the required number ofPROFINET modules, e.g., CI501-PNIO, CI502-PNIO, etc. or any 3rd party PROFINETmodules previously imported in the “Device Repository” using GSDML files.Details on how to set proper PROFINET device names and IP addresses can be found inÄ [3].
5. On “IO_Bus” object, one can instantiate up to 10 I/O modules (safety or non-safety ones)located centrally on the non-safety CPU.
6. Similarly, up to 10 I/O modules (safety and non-safety) can be instantiated on any ABBPROFINET IO device.
GSDML file defines the maximum number of supported modules on 3rd party PROFINET IOdevices.
Parameters of safety I/O modules can be set using double-click on those modules. Eachmodule has two types of parameters: F-Parameters and iParameters.F-Parameters are parameters which were specially defined by PROFIsafe group Ä [2] to realizesafe device communication and parameterisation. F-Parameter names are the same for allF-Devices (ABB and 3rd party devices). The most important of them for end-users are explainedhere.F_SIL - defines the highest useable safety integrity level for the given F-Device. It shall
not be higher than the defined value in the GSDML file of the F-Device.F_Dest_Add - defines the F-Device address which shall be the same address as the one set
on the physical safety I/O device.
NOTICE!Make sure that F_Dest_Add is set unique for all F-Devices, otherwise no validsafety configuration can be generated.Decimal or hexadecimal number with a prefix 16# or 0x can be used to setF_Dest_Add in Automation Builder.
Configuration and programming
System configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/04 3ADR025091M0210, 14, en_US 141
F_Source_Add - defines the F-Host address which shall be valid for the given F-Device.F_WD_Time - defines the watchdog timeout on the F-Device connection. It is supervised on
both F-Host and F-Device. If the F-Host detects a timeout, the F-Device ispassivated and fail-safe values are sent. If the F-Device detects a timeout,he indicates it to the F-Host via PROFIsafe status byte and sends fail-safevalues. F_WD_Time is further used in safety function response time calcula-tions Ä Chapter 5.3 “Safety function response time” on page 334.
F_CRC_Seed - defines the supported PROFIsafe protocol version. If F_CRC_Seed doesnot exist or F_CRC_Seed = 0 in the GSDML (default, symbolic value"CRC_Seed16"), the PROFIsafe protocol version V2.4 is supported from theF-Device and the improvements introduced with PROFIsafe protocol versionV2.6 is not supported (e.g., use of long frames). This ensures that all existingF-Devices (before release of PROFIsafe protocol version V2.6) are furtheridentified according to PROFIsafe protocol version V2.4. F_CRC_Seed =1 (symbolic value "CRC_Seed24/32") indicates that PROFIsafe protocol ver-sion V2.6 is supported. The parameter is not changeable.
F_Passivation - only exists if PROFIsafe protocol version V2.6 is supported (F_CRC_Seed= 1). If F_Passivation = 1 (symbolic value "Channel"), support of RIOforFAprofile for the given F-Device will be requested, as specified in Ä [12]. IfF-Passivation = 0 (symbolic value "Device/Module") or does not exist in theGSDML, this profile will not be supported. The parameter is not changeable.
F_WD_Time_2 - is an optional second watchdog timeout, if supported from the F-Device. Forthe AC500-S safety CPU the given value (if present) has no effect, becausethe safety CPU does not have any procedures which require this secondwatchdog time. If present in the F-Parameter configuration editor, keep theparameter with its default value.
NOTICE!The safety I/O modules (AI581-S, DI581-S and DX581-S) and the F-Sub-modules "12 Byte In/Out (PROFIsafe V2.4)" and "8 Byte and 2 Int In/Out(PROFIsafe V2.4)" in the SM560-S-FD-1 / SM560-S-FD-4 only support thePROFIsafe protocol version V2.4. The F-Parameters F_CRC_Seed and F_Pas-sivation do not exist in the F-Parameter configuration.The F-Submodules "12 Byte In/Out (PROFIsafe V2.6)" and "123 Byte In/Out(PROFIsafe V2.6)" in the SM560-S-FD-1 / SM560-S-FD-4 are compliant toPROFIsafe protocol version V2.6. F_CRC_Seed ("CRC_Seed24/32") is indi-cated in the F-Parameter configuration. The F-Parameters F_Passivation andF_WD_Time_2 are not applicable for them and thus not configurable (F_Passi-vation = 0 and is not changeable, F_WD_Time_2 does not exist).
F_iPar_CRC - is a special F-Parameter which is used for a safe transfer of iParameters toF-Devices. F_iPar_CRC is calculated outside F-Parameter editor and, thus,has to be manually copied from “Checksum iParameter” field and pasted toF_iPar_CRC field in the F-Parameter tab after pressing [Calculate] button forthe given F-Device.
Note, that F_iPar_CRC has to be recalculated for AC500-S safety I/O modules also ifF_Dest_Add is changed, because F_Dest_Add is also invisibly transported as iParameter toAC500-S safety I/O modules. It is needed in AC500-S safety PLC for further comparison ofthe physical PROFIsafe address value on the safety I/O device and one configured in theengineering environment.
Configuration and programmingSystem configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/043ADR025091M0210, 14, en_US142
Fig. 69: Example for F-Parameters settings
Table 9: F-Parameters of AC500-S safety modulesF_Parameter Definition Allowed values Default valueF_Check_SeqNr This parameter defines whether
the consecutive number shall beincluded in the CRC2. PROFIsafeV2-mode Ä [2]: consecutivenumber has to be always includedin CRC2 generation.Note:F_Check_SeqNr is not shownin the F-Parameter configura-tion for SM560-S-FD-1 andSM560-S-FD-4.
"No Check" = 0"Check" = 1
"Check" = 1
F_Check_iPar Manufacturer-specific use withinhomogeneous systems
"No Check" = 0"Check" = 1
"No Check" = 0
F_SIL Different safety functions usingsafety-relevant communicationmay require different safety integ-rity levels. The F-Devices are ableto compare their own assigned SILwith the configured SIL (F_SIL).If it is higher than the SIL of theconnected F-Device, the "devicefailure" status bit is set and a safestate reaction is triggered Ä [2].
"SIL1" = 0"SIL2" = 1"SIL3" = 2"NoSIL" = 3
"SIL3" = 2
F_CRC_Length Depending on the length of theF I/O data (12 or 123 octets) andthe SIL level, a CRC of 2, 3, or 4octets is required
"3 octet CRC" = 0"4 octet CRC" = 2Not supported by SM560-S:"2 octet CRC" = 1
"3 octet CRC" = 0for the AC500-S safetyI/O modules and theF-Submodules "12 ByteIn/Out (PROFIsafe V2.4)"and "8 Byte and 2 IntIn/Out (PROFIsafe V2.4)"for SM560-S-FD-1 andSM560-S-FD-4."4 octet CRC" = 2 forthe F-Submodules "12Byte In/Out (PROFIsafeV2.6)" and "123 ByteIn/Out (PROFIsafe V2.6)"for SM560-S-FD-1 andSM560-S-FD-4.
Configuration and programming
System configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/04 3ADR025091M0210, 14, en_US 143
F_Parameter Definition Allowed values Default valueF_CRC_Seed This parameter is only supported
for PROFIsafe protocol versionV2.6. If F_CRC_Seed = 1, theF-Device supports the PROFIsafeprotocol version V2.6.Only the F-Submodules "12 ByteIn/Out (PROFIsafe V2.6)" and "123Byte In/Out (PROFIsafe V2.6)"for SM560-S-FD-1 and SM560-S-FD-4 support the PROFIsafe pro-tocol version V2.6.
"CRC_Seed16" = 0"CRC_Seed24/32" = 1
Not visible for the safetyI/O modules and theF-Submodules "12 ByteIn/Out (PROFIsafe V2.4)"and "8 Byte and 2 IntIn/Out (PROFIsafe V2.4)"for SM560-S-FD-1 andSM560-S-FD-4."CRC_Seed24/32" = 1for the F-Submodules "12Byte In/Out (PROFIsafeV2.6)" and "123 ByteIn/Out (PROFIsafe V2.6)"for SM560-S-FD-1 andSM560-S-FD-4.
F_Passivation This parameter is only supportedfor PROFIsafe protocol versionV2.6. It defines if channel-granularpassivation according to RIOforFAis supported or not.Channel-granular passivationaccording to RIOforFA is not sup-ported by safety I/O modulesand the F-Submodules for theSM560-S-FD-1/SM560-S-FD-4. Allsafety I/O modules supportown channel-granular passivation.F-Submodules for the SM560-S-FD-1/SM560-S-FD-4 do notneed channel-granular passivationaccording to RIOforFA.
"Device/Module" = 0"Channel" = 1
Not visible for the safetyI/O modules and theF-Submodules "12 ByteIn/Out (PROFIsafe V2.4)"and "8 Byte and 2 IntIn/Out (PROFIsafe V2.4)"for SM560-S-FD-1 andSM560-S-FD-4."Device/Module" = 0 forthe F-Submodules "12Byte In/Out (PROFIsafeV2.6)" and "123 ByteIn/Out (PROFIsafe V2.6)"for SM560-S-FD-1 andSM560-S-FD-4.
F_Block_ID Type identification of parameters "No F_iPar_CRC withinF-Parameter block" = 0"F_iPar_CRC withinF-Parameter block" = 1
"F_iPar_CRC withinF-Parameter block" = 1 forSafety I/Os(AC500-S safety I/Omodules can work onlywith this default value)"F_iPar_CRC withinF- Parameter block" =0 for SM560-S-FD-1 andSM560-S-FD-4
F_Par_Version Version number of the F-Param-eter set
"Valid for V1-mode" = 0"Valid for V2-mode" = 1
"Valid for V2-mode" = 1(AC500-S safety I/Omodules can work onlywith this default value)
F_Source_Add F-Host source address. TheF_Source_Add parameter is a log-ical address designation that canbe assigned freely but unambigu-ously.F_Source_Add shall not beequal to F_Dest_Add for thegiven F-Device.
[1 - 511] for SM560-S-FD-1and SM560-S-FD-4[1 - 239] for AC500-Ssafety I/O modules[1 - 65534] for 3rd partyPROFIsafe F-Devices(if no limitations ofF_Source_Add are definedby the manufacturer)0 and 65535 is notallowed.
1
Configuration and programmingSystem configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/043ADR025091M0210, 14, en_US144
F_Parameter Definition Allowed values Default valueF_Dest_Add The unique F-Device address
which will be compared with theset hardware switch address in F-Device. The F_Dest_Add param-eter is a logic address designationthat can be assigned freely butunambiguously.
[1 - 255] for AC500-Ssafety I/O modules.For SM560-S-FD-1 andSM560-S-FD-4:● F_Dest_Add = Address
Switch Value (1 -239) * 100 + F-Deviceinstance no. (0..31).
● Addresses switchvalues [240 - 255] arereserved for systemfunctions.
2 for safety I/O modules100 for SM560-S-FD-1 orSM560-S-FD-4
F_WD_Time Watchdog time in ms for receipt ofthe new valid telegram
[10 - 10000] ABB F-Devices: 1003rd party F-Devices:according to GSDML file
F_iPar_CRC CRC over iParameters (manufac-turer-specific) of F-Devices (safetyI/Os).
[0 - 4294967295]Hex [0 - FFFFFFFF]
For safety I/O modules:dependent on the moduleiParameter default configu-ration.Not applicable for SM560-S-FD-1 and SM560-S-FD-4.
F_Par_CRC CRC1 signature calculation acrossthe F-Parameters
[0 - 65535]Hex [0 - FFFF]
Dependent on the moduletype
iParameters are individual F-Device parameters which are transferred to F-Devices with aproper F_iPar_CRC parameter.
NOTICE!AC500-S PROFIsafe F-Host implementation does not support or only partiallysupports the following PROFIsafe conformance class Ä [2] functions:– Communication function block set RDREC, WRREC, RDIAG and RALRM,
as defined in Ä [11].– iPar server services.– Tool calling interface, as defined in Ä [2].
NOTICE!After changing iParameters, you have to go to “F-Parameter” tab, re-calculateiParameter CRC and paste it to F_iPar_CRC F-Parameter row. Otherwise, thenew parameter set will not be accepted by the F-Device because F_iPar_CRCwill not be a valid one for a given iParameter set.As for 3rd party F-Devices coming from GSDML files, one has no “ChecksumiParameter” feature, because Automation Builder does not know a specificalgorithm used for F_iPar_CRC calculation in 3rd party devices. One has to cal-culate F_iPar_CRC using a special tool delivered by the F-Device manufacturerfor engineering its F-Devices.Another option is to contact the vendor of the F-Device and ask for F_iPar_CRCvalue for the given F-Device iParameter. As soon as F_iPar_CRC is availablefor the given 3rd party F-Device, one can paste it to the F_iPar_CRC row inF-Parameter editor.
Configuration and programming
System configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/04 3ADR025091M0210, 14, en_US 145
Fig. 70: Examples of iParameter settings for DI581-S safety module; all input channels are paired as "Channel Xwith Channel X + 8"
Fig. 71: Examples of iParameter settings for DX581-S safety module; input channels are paired as "Channel X withChannel X + 4"
Configuration and programmingSystem configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/043ADR025091M0210, 14, en_US146
DANGER!If for one of the output channels you set Detection = OFF, the warning appearsthat the output channel does not satisfy max. SIL 3 (IEC 62061) and PL e(ISO 13849-1) requirements in such condition. Two safety output channels mayhave to be used to satisfy required SIL or PL level.The parameter "Detection" was created for customers who want to use safetyoutputs of DX581-S for max. SIL 1 (or max. SIL 2 under special conditions) orPL c (or maximum PL d under special conditions) safety functions and haveless internal DX581-S pulses visible on the safety output line. Such internalpulses could be detected as LOW signal by, for example, drive inputs, whichwould lead to unintended machine stop.
Fig. 72: Examples of iParameter settings for AI581-S safety module; input channels are paired as "Channel X withChannel X + 2"
DANGER!One can also use generic device configuration view from “DI581-S Parameters”,“DX581-S Parameters” or “AI581-S Parameters” tab to edit module and channelparameters. However, change of safety I/O parameters using genericdevice configuration view is not recommended due to potential user mis-takes during the parameter setting using integer numbers.
Furthermore, each F-Device has a special “I/O Mapping” tab in which variable names for inputand output signals, PROFIsafe diagnostic bits, etc. can be defined.
DANGER!If data types like Unsigned16, Unsigned32, Integer16, Integer32 or Float32,which require more than one byte, are used in PROFIsafe data, note the fol-lowing. The byte order in such data types depends on the used PROFIsafedevice endianness and selected AC500 non-safety CPU type. AC500 V2non-safety CPU supports big-endian. AC500 V3 non-safety CPU supports little-endian. Make sure that the symbolic variables are mapped properly and thedelivered safety data is correctly represented in your safety application.
Configuration and programming
System configuration and programming > Instantiation and configuration of safety modules / definition of variable names
2022/02/04 3ADR025091M0210, 14, en_US 147
Fig. 73: Example with AI581-S module for variable mapping
It is also valid for DX581-S and DI581-S safety modules; the only difference is the number ofinput and output channels. Each process channel (Input 0 - Input 3 for AI581-S) has additionallythe following bits:● one bit for safe diagnostic (Safe_Diag bit) to be able to differentiate if the process value is
the real process state or "0" value due to channel or module passivation.● one bit Rei_Req for channel reintegration request, which can be used in the safety applica-
tion program as a signal that external error (e.g., sensor wiring error) was fixed and thechannel can be reintegrated in the safety control. Higher overall system availability can beexpected for end-customers, because they can selectively decide which channels have tobe acknowledged and which not.
● one bit Ack_Rei for channel reintegration if the error was fixed (e.g., external sensor wiringwas corrected). One can also define one variable as a BYTE for all Ack_Rei bits and use0xFF value to acknowledge all errors at once.
NOTICE!When you define variable names for input signal, output signal and other safetysignals, pay attention to the safety programming guidelines Ä Chapter 4.4“Safety programming guidelines” on page 182.
NOTICE!Only BYTE data type is supported instead of WORD for safety data of DI581-Smodule when AC500 V3 non-safety CPU is used. It is needed to manage theendianness, which is different between AC500 V2 non-safety CPU (big-endian)and AC500 V3 non-safety CPU (little-endian). This shall be considered whensafety project is migrated from AC500 V2 to V3 non-safety CPU.
4.3.6 Programming of AC500-S safety CPUWrite your safety application program and pay attention to system start-up procedure.
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US148
NOTICE!How to create, configure, modify and download a valid boot project for non-safety CPUs is described in Ä [3].To avoid unexpected configuration errors, as a first step, download a validproject to non-safety CPU. As a second step, download a safety project to thesafety CPU.
1. Program and download a valid project to non-safety CPU.2. Start AC500-S Programming Tool by double-clicking safety application node, e.g.,
“AC500_S”.
ð Before AC500-S Programming Tool is started, you may be asked to update yourconfiguration. It is needed to transfer the updated configuration data (e.g., variablenames, etc.) to AC500-S Programming Tool.
Fig. 74: AC500-S Programming Tool
DANGER!Make sure that when AC500-S Programming Tool is started, the fol-lowing properties can be observed:– Yellow background– SAFETY MODE is visible in the title bar
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 149
NOTICE!When AC500-S Programming Tool is started for the first time in theAutomation Builder project, you will be asked to manually confirmincluded safety library identification data (version number and CRC).After this, safety library identification data are saved in the project.If you change the safety library content and replace it on your harddisk, the next time you start AC500-S Programming Tool you will beinformed that one of the safety libraries changed. In the propertieswindow for safety libraries you will still observe an initially savedCRC value. However, when you compile the project, you will get aCRC error message. The project will not be compiled by AC500-SProgramming Tool because of the changed library.To compile the project successfully, manually delete the selectedsafety library and add a new safety library with a new CRC. The newsafety library with new CRC will be accepted and no compilation errorwill be shown.
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US150
3. Define your user management for AC500-S Programming Tool.All user management features of AC500-S Programming Tool are available for projectadministrator Ä [3].The project administrator has to set a user password for newly created safety project. Goto “Project è User Group Passwords...” and set the password for Level 0 User Group,which shall represent users from safety user group in Automation Builder.
Fig. 75: Set passwords
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 151
4. Check your F-Device configuration in AC500-S Programming Tool.If your configuration of F-Devices is final, you have to check that F-Parameter values fromF-Parameter tab are the same as those imported to AC500-S Programming Tool: Go to“Resources” tab in the safety project. Navigate to “Global Variables è PROFIsafe” andselect the F-Device instance you want to check.
DANGER!You have to formally confirm that F-Parameter values from F-Parametertab are the same as those imported to AC500-S Programming Tool (item3 in Ä Chapter 6.2 “Checklist for creation of safety application program”on page 343).
Fig. 76: F-Parameter values in AC500-S Programming Tool
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US152
5. All configured input and output variables can be found in separate global variable lists.
Fig. 77: Global variable list in AC500-S Programming Tool
ðDANGER!It is not allowed to change read-only (see <R> sign) resources, taskconfiguration and pre-certified POUs (CallbackInit, CallbackReadIn-puts, CallbackWriteOutputs, InitPROFIsafe, ReadPROFIsafeInputs,WritePROFIsafeOutputs) under PROFIsafe folder in AC500-S Pro-gramming Tool. A change of <R> resources could lead to inconsisten-cies between Automation Builder and safety project.
NOTICE!All configured safety input and output variables can also be seen innon-safety project (e.g., for their visualization in operator panels, datalogging, etc.).The difference comparing to safety project is that end-user is not ableto modify the values of those safety variables from non-safety project.It is prohibited by proper design.
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 153
6. Check the validity of the safety libraries.In Library Manager, check that the CRCs of the used safety libraries are as listed inÄ Table 14 “Safety libraries” on page 192.
Fig. 78: All available safety libraries can be found in the Library Manager
ðDANGER!The user is responsible to check that only certified safety libraries areused in his project. Refer to the overview of certified safety librariesand CRCs Ä Chapter 4.6.1 “Overview” on page 192.The user alone is responsible for all libraries which are created by himand referenced in the project for use in safety applications.You have to formally confirm that no non-safety libraries are usedin your safety application (item 19 in Ä Chapter 6.2 “Checklist forcreation of safety application program” on page 343).
NOTICE!AC500-S safety CPU is a single-task machine, thus, no task configu-ration is needed.
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US154
7. Start programming your safety application.The safety application program must be identified using the following properties: projectname, file name, change date, title, author, version, description and CRC. Using menuitem “Online è Check boot project in PLC”, one can check that offline safety project andthe boot project on the safety CPU are identical.Forcing of variables is supported by the safety CPU, but only in DEBUG (non-safety)mode, which means that user takes over a complete responsibility for potential damagesdue to wrong system behavior in the DEBUG (non-safety) mode.
DANGER!Forcing of variables in the safety CPU is only allowed after consultingthe approving board responsible for site approval in operational customerapplications. During forcing, the user in charge must ensure sufficientsafety technical monitoring of the process by other technical, organiza-tional and structural measures.
For safety applications developed with AC500-S, visualizations in AC500-S ProgrammingTool are allowed for debugging and maintenance purposes only.
DANGER!Changing values via controls (e.g., "Write values") would cause the safetyCPU to switch to a DEBUG RUN mode, which is non-safe.In case of an activation of DEBUG RUN (non-safety) mode on the safetyCPU, the responsibility for safe process operation lies entirely with theorganization and person responsible for the activation of DEBUG RUN(non-safety) mode.
NOTICE!ST, FBD and LAD are the only IEC 61131 languages supported bythe safety CPU for safety programming. Pay attention to the safety pro-gramming guidelines Ä Chapter 4.4 “Safety programming guidelines”on page 182. ST with a subset defined in Ä Chapter 4.4 is equivalentto the limited variability language, as defined in IEC 61508.
NOTICE!Do not create global variable lists using names beginning with the prefix"S_Module_". Global variable lists starting with "S_Module_" will be auto-matically updated by the AC500-S Programming Tool and may lead to theloss of the user information.
For the safety PLC, it is important that all F-Devices are successfully initialized beforeprogram logic execution starts. F-Devices start in FV_activated mode Ä more details onPROFIsafe F-Host stack: Chapter 4.6.3 SafetyBase_PROFIsafe_LV210_AC500_V22.libon page 197. To realize a simultaneous start, we recommend using an own special POU,similar to SF_Startup explained below, which handles various possible start-up scenariosin PROFIsafe specification Ä [2] and then gives "Ready" output as a trigger for furthernormal safety program logic execution. As you can see from the implementation below, itis enough if at least one of the channels in DI581-S module has PROFIsafe diagnostic bitset to 1, meaning that normal process values can be delivered.Declaration partFUNCTION_BLOCK SF_Startup
VAR_OUTPUT
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 155
Ready: BOOL; (* Set to TRUE if all safety modules areinitialized *)END_VAR
VAR bTempReady: BOOL; (* Set to TRUE if DI581-S safety module isready *)END_VAR
VAR CONSTANT _TRUE: BOOL := TRUE; (* Constant because TRUE is a literal *) _FALSE: BOOL := FALSE; (* Constant because FALSE is a literal*) wdNull: WORD := 16#0000; (* Constant for Safety I/Oinitialization *)END_VAR
VAR_EXTERNAL DI581_S: PROFIsafeStack; (* External declaration *)END_VAR
Implementation part(* Check if operator acknowledge is required for F-Device *)IF DI581_S.OA_Req_S THEN (* The module requests an acknowledgment?*) DI581_S.OA_C := DI581_S.OA_Req_S; (* Acknowledge it, ifrequested *)
(* IS_DI581_Started is the input variable for all channelPROFIsafe diagnostic bits set in Control Builder Plus / AutomationBuilder for DI581-S module *)ELSIF IS_DI581_Started > wdNull THEN (* Is this moduleinitialized? *) bTempReady := _TRUE; (* Yes, the module is initialized *)ELSE bTempReady := _FALSE; (* No, the module is not initialized yet*)END_IF;
IF bTempReady THEN (* Set POU output signal *) Ready := _TRUE;ELSE Ready := _FALSE;END_IF;
NOTICE!To acknowledge the F-Device after a module passivation, OA_C com-mand bit has to be toggled from ‘0’ to ‘1’ until OA_Req_S status bitbecomes "0".
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US156
8. Set up correct communication parameters.
Fig. 79: Set communication parameters
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 157
ðNOTICE!Make sure that to download safety project, either “ABB Tcp/Ip Level 2AC” or “ABB RS232 AC” communication channels were selected.
Fig. 80: Example with Ethernet connection
Note that "Address" is the IP address of your non-safety CPU, if supported on thenon-safety CPU (you can also use COM port for program download using serialconnection). Coupler (level 1) defines the position of the safety CPU (line 1 - position1, line 2 - position 2 and so on).More details on "Communication Parameters" are in Ä [3].
Fig. 81: Example with a serial connection
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US158
9. Download your safety application to the safety CPU.You can transfer your safety program to the safety CPU from a PC or using an SD card.Ä “Download your safety program to the safety CPU from a PC” on page 160
Ä “Download your safety program to the safety CPU from an SD card” on page 162
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 159
10. Download your safety application and create a boot project so that your safety CPU canstart safety program execution after a power cycle.
NOTICE!The “Online Change” service is not supported by the safety CPU forsafety reasons. It means that each program change of safety projectrequires stopping the safety CPU, downloading a new boot project andthen executing a power cycle or rebooting through non-safety CPU to seethe safety program change(s) become active.
NOTICE!Only one user can be logged-on to the given safety CPU at a time. It isneeded to avoid multiple changes on the safety CPU from different usersworking at the same time.The limitation on the number of open connections only exists for thesafety CPU, which means that it is still possible to simultaneously connectto non-safety CPU, e.g., using web and OPC server functionality.
Fig. 82: Create boot project for the safety CPU
Download yoursafety programto the safetyCPU from a PC
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US160
ðDANGER!If “Update Device...” function was used on safety modules, then a fullfunctional testing of all parts of the safety application has to be per-formed. This test must be carried out with the machine in its final con-figuration including mechanical, electrical and electronic components,sensors, actuators and software.
NOTICE!Use menu item “Online è Check boot project in PLC” to verify thatoffline project and the boot project on the safety CPU are identical (filename, change date, title, author, version, description and CRC).The same comparison can be done with another boot project savedon the PC or SD card using “Online è Check boot project in filesystem” menu item.Note that before the boot project is created offline on the PC for abackup and later usage, the boot project has to be loaded at leastonce to the safety CPU.It is highly recommended to execute “Clean All”, “Rebuild All”commands from “Project” menu before downloading the safetyprogram to safety CPU.
NOTICE!The boot project CRC uniquely identifies the safety CPU boot project.Note that not only code changes but also different actions in the pro-gramming environment can lead to new boot project CRC.User actions which change the safety boot project CRC:– In AC500-S Programming Tool:
– Select tab “Resources”, open “Target settings” and press [OK]without any changes in the dialog.
– Select “Project è Options” and press [OK] without anychanges in the dialog.
– Select tab “Resources”, open “Workspace” and press [OK]without any changes in the dialog.
– In Automation Builder:– Double-click on the safety CPU, go to the tab “CPU
Parameters” and change any of the parameters, e.g., “Enabledebug”. After that, open AC500-S Programming Tool (double-click on safety application node).
– With AC500 V2 non-safety CPU: Double-click on the safetyCPU, make changes in tab “Data exchange configuration”and open AC500-S Programming Tool (double-click on safetyapplication node).
NOTICE!Remember that non-safety CPU takes part in iParameter transfer toF-Devices, thus, you shall not only download your safety applicationprogram to safety CPU, but also in a similar way Ä [3] downloadnon-safety program to non-safety CPU and create a boot project fornon-safety CPU.If you do not follow the recommendation above, you may face configu-ration error or passivation of some F-Devices.
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 161
DANGER!Do not use “Write file to PLC” command for the safety CPU because itmay lead to the loss of important user information or load of corrupteddata on the safety CPU.
Skip the next step and continue with the step after it.11.
DANGER!If you transfer your safety program to safety CPU using SD card, youhave to make sure that the inserted SD card contains the correct safetyprogram. You can check this through program identification (e.g., bootproject CRC) or other measures, such as a unique identifier on the SDcard.
NOTICE!The safety CPU boot project can be updated via SD card only if no bootproject is present on the safety CPU Ä “Boot project update” on page 42.
● Transfer the safety program to the SD card Ä “Boot project update” on page 42.● Perform a program identification - check if SD card and offline (e.g., on PC) safety
program CRCs match using “Online è Check boot project in file system”.● Attach an appropriate label to the SD card.The outlined procedure must be ensured through organizational measures.
Download yoursafety programto the safetyCPU from an SDcard
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US162
12. You can use PLC browser commands after login on safety CPU.The following PLC browser commands from AC500-S Programming Tool are supported bythe safety CPU:? - List of available browser commandsreflect - Output of browser commands (for test purposes)pid - It shows the project IDpinf - It shows project information in AC500 formatgetprgprop - It shows program properties in AC500 formatgetprgstat - It shows program status in AC500 formatsetpwd - It sets safety CPU password (it is needed during login). This command is
active only if safety CPU "Enable debug" parameter was set to "ON" andproper boot project was loaded to non-safety CPU.
delpwd - It deletes safety CPU password. This command is active only if safetyCPU "Enable debug" parameter was set to "ON" and proper boot projectwas loaded to non-safety CPU.
rtsinfo - It shows firmware and boot project information in AC500 formatproddata - It shows safety CPU production data in AC500 formatdiagreset - It resets diagnosis system of the safety CPUdiagack all - It acknowledges all errorsdiagack x - It acknowledges all errors of class x (x= 1 .. 4)diagshowall
- It shows all errors in AC500 format
diagshow x - It shows all errors of class xdelappl - It deletes boot project in the flash memory. This command is executed
only in DEBUG STOP state of the safety CPU. After safety CPU restart,one shall check that no boot project is available in the safety CPU. Thiscommand is active only if safety CPU "Enable debug" parameter was setto "ON" and proper boot project was loaded to non-safety CPU.
deluserdat: - It deletes user data in the flash memory. This command is executed only inDEBUG STOP state of the safety CPU. It is executed immediately and isactive only if safety CPU "Enable debug" parameter was set to "ON" andproper boot project was loaded to non-safety CPU.
applinfo - It shows the application information, e.g., results of time profiling usingfunctions SF_APPL_MEASURE_BEGIN and SF_APPL_MEASURE_END.
applinforeset
- It resets all application information, e.g., time measurement values.
flashstatus - It shows the flash programming progress in the safety CPU in % whendownloading boot code, firmware or a bootproject.
None of the above-mentioned safety CPU PLC browser commands changes the state(e.g., from RUN to DEBUG RUN or DEBUG STOP, etc.) of the safety CPU.
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 163
NOTICE!The following PLC browser commands from safety CPU can influence itsstate:resetprg:It prepares safety CPU restart with initial variable values. Safety CPUchanges its state, e.g., from RUN to DEBUG STOP. This command is onlyaccepted if safety CPU “Enable debug” parameter was set to “ON” andproper boot project was loaded to non-safety CPU.
resetprgorg:It restores safety CPU original state (all variables, flash memory sections,etc. get original values). Safety CPU changes its state, e.g., from RUNto DEBUG STOP. This command is only accepted if safety CPU “Enabledebug” parameter was set to “ON” and proper boot project was loaded tonon-safety CPU.
DANGER!The results of “delappl”, “resetprgorg”, “setpwd” and “delpwd” commandexecution shall be checked by the end-user through a log-on after apower cycle of the safety CPU.
4.3.6.1 Safe CPU to CPU communication using SM560-S-FD-1 and SM560-S-FD-4SM560-S-FD-1 and SM560-S-FD-4 safety CPUs provide up to 32 F-Device instances for safeCPU to CPU communication. The safety data of each F-Device instance is mapped to CM589-PNIO or CM589-PNIO-4 PROFINET IO device communication modules. CM589-PNIO andCM589-PNIO-4 communication modules allow physically separating their PROFINET networkfrom that of CM579-PNIO PROFINET IO controller communication module on the same non-safety CPU.ABB GSDML files for CM589-PNIO/CM589-PNIO-4 PROFINET devices can be used to con-figure process and safety data parameters in 3rd party PROFINET/PROFIsafe F-Host systems.To support all kinds of 3rd party PROFIsafe F-Hosts, including those which limit the usage ofPROFINET UseAsBits attribute in one PROFIsafe module to 64 bits, e.g., Siemens S7 3xx-FCPUs, different types of safety data descriptions were defined.Safety data descriptions compliant for PROFIsafe protocol version V2.4:● Type 1: 12 bytes defined as UseAsBits.● Type 2 (for F-Hosts which do not support 12 bytes defined as UseAsBits): 8 bytes defined
as UseAsBits and two Integer16 values.Safety data descriptions compliant for PROFIsafe protocol version V2.6:● Type 3: 12 bytes defined as UseAsBits.● Type 4: 123 bytes defined as UseAsBits.
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US164
1. Define master and slave controllers in the control system setup. Note that the samesystem could be simultaneously master and slave as well.● All controllers, which have to be masters only, shall have at least non-safety
CPU, CM579-PNIO IO controller and SM560-S safety CPU.● All controllers, which have to be slaves only, shall have at least non-safety CPU,
CM589-PNIO IO device (or CM589-PNIO-4 if the communication to more than 1PROFINET IO controller is required; usage of more than 1 CM589-PNIO communica-tion module is also supported) and SM560-S-FD-1 safety CPU (or SM560-S-FD-4 ifthe communication to more than 1 PROFINET IO controller is required).
● All controllers, which have to be masters and slaves simultaneously, shall haveat least non-safety CPU, CM579-PNIO IO controller, CM589-PNIO IO device (orCM589-PNIO-4 if the communication to more than 1 PROFINET IO controller isrequired; usage of more than 1 CM589-PNIO communication module is also sup-ported) and SM560-S-FD-1 safety CPU (or SM560-S-FD-4 if the communication tomore than 1 PROFINET IO controller is required).
NOTICE!Only one safety CPU can be attached to the non-safety CPU. The numberof PROFINET communication modules for the given non-safety CPU isonly limited by the number of available slots on it.
NOTICE!3rd party PROFINET IO controllers with F-Hosts can be also usedin the setup. Use CM589-PNIO / CM589-PNIO-4 GSDML files fromwww.abb.com/plc to connect AC500-S PLC as a slave to 3rd party mastersystems.
2. After the selection of PROFINET communication modules and safety CPUs on master andslave systems, one has to define the number of safety bytes, which have to be exchangedbetween the slave and master systems.A maximum of nearby 2000 safety bytes (including PROFIsafe status/control bytes andCRC) can be exchanged (for each input and output direction), depending on the usedtypes of safety data description.● E.g., when using safety data type 1..3 (by configuring 32 F-Device objects which is
the maximum configurable number of F-Device objects), a maximum of 384 bytes(excluding PROFIsafe status/control bytes and CRC) can be exchanged.
● E.g., when using safety data type 4 (by configuring 15 F-Device objects), 1845bytes of safety data (excluding PROFIsafe status/control bytes and CRC) could beexchanged. Note that maximum 1440 bytes can be exchanged using CM589-PNIOor CM589-PNIO-4 communication modules. You have to add more than one CM589-PNIO or CM589-PNIO-4 communication module to overcome this limitation. ContactABB technical support for assistance.
Establish a safeCPU to CPUcommunicationusingPROFINET/PROFIsafe
Configuration and programming
System configuration and programming > Programming of AC500-S safety CPU
2022/02/04 3ADR025091M0210, 14, en_US 165
3. Safety bytes can be instantiated on slave systems by selecting, respectively, CM589-PNIO or CM589-PNIO-4 modules and instantiating the F-Device objects on it. The con-figuration of CM589-PNIO or CM589-PNIO-4 modules and instantiation of non-safetyprocess data is explained separately in Ä [3]. SM560-S-FD-1 and SM560-S-FD-4 canhandle up to 32 F-Device objects in total with a maximum amount of data size of 1400bytes (for each communication direction ).
NOTICE!The PROFIsafe F_Dest_Add values are consequently assigned to theseinstances in the Automation Builder project according to their order (nomixture is possible). The expected base address for this group is definedusing the safety CPU rotary address switch and the configured F-Param-eter value in the master system project Ä Chapter 3.1.2.5 “Address /configuration switch / F_Dest_Add settings ” on page 38.
After the instantiation of the F-Device objects, one can assign variable names for instan-tiated IN and OUT safety data. These variables can be later used in the safety CPUapplication program after AC500-S Programming Tool is opened. To be able to get accessto the safety data in the safety CPU program, it is mandatory to give symbolic names forthe required safety data.
4. In each master system configuration, one has to instantiate CM589-PNIO orCM589-PNIO-4, respectively, under CM579-PNIO to establish the PROFINET connec-tion to slave systems Ä [3]. The PROFINET shared device functionality supported byCM589-PNIO-4 shall be also taken into account if slave system data shall be exchangedwith more than one (up to 4) other control system.
5. Similar to slave system configuration, one has to instantiate the corresponding F-Deviceobjects on each master system. Note that the order of objects and their type in themaster configuration must be the same as that on the slave configuration, otherwise, theconfiguration error can be expected in the run mode. The names of instantiated F-Deviceobjects can be freely chosen.
6. By double-clicking on each instantiated F-Device object, one shall assign proper F-Param-eter values. F_Dest_Add shall be set correctly for each instantiated object.
NOTICE!Refer to the rules of F_Dest_Add address settings and observe thatonly counting upwards is allowed according to the order of modulesin the Automation Builder object tree (the upper object has the lowestF_Dest_Add value) Ä Chapter 3.1.2.5 “Address / configuration switch /F_Dest_Add settings ” on page 38.
For example, we have set the rotary address switch on the slave system safety CPU(SM560-S-FD-1 or SM560-S-FD-4) to the value of 0x01. It means that our availableF_Dest_Add range is 100 ... 131 Ä Chapter 3.1.2.5 “Address / configuration switch /F_Dest_Add settings ” on page 38. The first safety object (F-Device object) must usethe lowest number 100. The second must use 101 and so on.
7. As for F_Source_Add, one can use all values of the allowed range (1 - 511). One has topay attention, however, if the slave system has also master functionality, e.g., for safetyI/O modules. In the latter case, it is not allowed to use the same F_Source_Add forF-Device objects as F_Source_Add used in the slave system for its own F-Devices, e.g.,safety I/O modules (more details on the rules which have to be taken into account forF_Source_Add and F_Dest_Add assignment: Ä Chapter 3.1.2.5 “Address / configurationswitch / F_Dest_Add settings ” on page 38).
8. After the instantiation of F-Device objects in the master system configuration, one canassign variable names for instantiated IN and OUT safety data. These variables can belater used in the safety CPU application program. To be able to get access to the safetydata in the safety CPU program, it is mandatory to give symbolic names for the requiredsafety data. The symbolic variable names can be freely chosen, but have to be unique.
Configuration and programmingSystem configuration and programming > Programming of AC500-S safety CPU
2022/02/043ADR025091M0210, 14, en_US166
9. If SM560-S-FD-4 is used as part of PROFINET shared device communication (refer todocumentation for CM589-PNIO-4 in Ä [3]) to exchange also safety data with up to 4master systems, one has to disconnect unused safety communication modules on eachmaster system. This allows selecting which of the configured F-Submodules ("12 ByteIn/Out (PROFIsafe V2.4)" / "8 Byte and 2 Int In/Out (PROFIsafe V2.4)" / "12 Byte In/Out(PROFIsafe V2.6)" / "123 Byte In/Out (PROFIsafe V2.6)") in the slave system communi-cates to which master system. Each instantiated safety communication module can haveonly one connection to one of the master systems. Therefore, all safety communicationmodules, which are connected to other master systems, shall be set to "Disconnected"using "Disconnect module" command in the menu on the master system project. Thedisconnected modules will get a grey background. Using "Connect module" command inthe menu for the given communication module, one can re-connect them to the givenmaster system.
NOTICE!If the same safety communication module is connected to more than onemaster system, then the connection is only established with the fastest ofmaster systems during the start-up and parameterization phase. Other mastersystems do not receive any data in this case. Make sure that all configuredsafety communication modules (F-Device objects) are correctly connected tomaster systems. Wrong configuration may result in error messages Ä AppendixB.2 “Error messages with AC500 V2 non-safety CPU” on page 383 Ä AppendixC.2 “Error messages with AC500 V3 non-safety CPUs” on page 401.
4.3.7 Checking of program and system configurationCheck your program and system configuration. Use Ä Chapter 6.2 “Checklist for creationof safety application program” on page 343.It is important that you are able to successfully fill out the checklist and sign it. No safetyprogram shall be approved without a positively completed checklist. If some items from thechecklist cannot be fulfilled, then a proper justification shall be provided in the comment section.
4.3.7.1 Checking of program and system configuration with Safety Verification Tool (SVT)Automation Builder 2.3.x (and newer) has an integrated Safety Verification Tool (SVT) that isinstalled with the AC500-S software package as a part of the Automation Builder installation.SVT verifies the AC500-S safety configuration in Automation Builder and generates an SVTchecklist that AC500-S users shall use to manually complete the functional safety verification ofthe Automation Builder project.
DANGER!SVT is mandatory for use with Automation Builder 2.3.x (and newer).
In Automation Builder 2.2.x and earlier versions, there was no need to use SVT due to otherprocedures used to verify the functional safety integrity of the Automation Builder project.Use SVT to verify that the safety project in AC500-S Programming Tool matches your safetyproject in Automation Builder.
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 167
4.3.7.1.1 FunctionalitySVT reads the IEC 61131 program objects from the safety project created with AC500-S Pro-gramming Tool and the description files for the safety devices in Automation Builder, verifies thedata from both sources and creates the SVT checklist. The SVT checklist is a text file that youcan open with any text editor and print out, if necessary. Refer to the SVT checklist examples infigures that follow.The SVT checklist has several sections:● A project information section with general information on the safety project Ä “Project
information section” on page 169.● Sections for each safety device in the safety project Ä “Safety device sections”
on page 169.● A section for the safety CPU in the safety project Ä “Safety CPU section” on page 173.● A section for the used libraries Ä “Libraries section” on page 173.SVT verifies, for example:● The integrity of the global variables for I/O mapping for each safety device in the safety
project.● The integrity of the mapped I/O variables versus the I/O structure description.● The checksum of the F-Parameter for each safety device.● The integrity of F-Parameters with F-Parameter description.
DANGER!In addition to successfully passed automatic checks, you must successfullycomplete all of the manual checks in the SVT checklist.
NOTICE!Use SVT on the final Automation Builder project after which no further changesin the functional safety project part leading to a new boot project CRC areexpected.
Configuration and programmingSystem configuration and programming > Checking of program and system configuration
2022/02/043ADR025091M0210, 14, en_US168
The SVT checklist starts with a section that is used to manually verify information regarding thewhole safety project.
Fig. 83: Example of a project information section of an SVT checklist
1 Time stamp and version information2 Result of the automatic consistency checks done by SVT3 Reference to the safety project4 Data checksum for the whole SVT checklist5 List of the safety devices in the safety project
After the project information section, the SVT checklist has individual sections for each safetydevice in the safety project. The content of each safety device section depends on the type ofthe safety device.
Project informa-tion section
Safety devicesections
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 169
Fig. 84: Example of a safety device section for DX581-S safety I/O module
1 Result of the automatic consistency checks done by SVT2 Data checksum for the safety device section3 Safety device type description4 Input and output mapping list for the safety device5 List of F-Parameters for the safety device
ABB safetydevices
Configuration and programmingSystem configuration and programming > Checking of program and system configuration
2022/02/043ADR025091M0210, 14, en_US170
F-Devices on AC500-S safety CPUs SM560-S-FD-1 and SM560-S-FD-4 include also a sectionwith information on the position of the safety device in the safety project in Automation Builder.
Fig. 85: Example of a safety device section for a F-Device on AC500-S safety CPUs
1 Position of the safety device in the safety project in Automation Builder under all CM589-PNIO(-4) nodes
F-Devices onAC500-S safetyCPUs
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 171
3rd party safety device sections also have Module ID and information on the GSDML file in theSVT checklist.
Fig. 86: Example of a safety device section for a 3rd party safety device
1 Module ID2 Information on the GSDML file
3rd party safetydevices
Configuration and programmingSystem configuration and programming > Checking of program and system configuration
2022/02/043ADR025091M0210, 14, en_US172
In the same way as for the safety device sections, the safety CPU section includes informationabout the automatic checks, the data checksum and the manual checks for the safety CPU.
Fig. 87: Example of a safety device section for safety CPU
1 Result of the automatic consistency checks done by SVT2 Data checksum for the safety CPU section3 Parameter "PFROFIsafe startup timeout" of the safety CPU
The libraries section includes a data checksum to indicate changes for the used safety librariesand the CRCs of the used safety libraries.
Fig. 88: Example of the libraries section
1 Data checksum for the safety libraries2 Library CRCs
Safety CPU sec-tion
Libraries sec-tion
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 173
After the libraries section, the SVT checklist ends with the line End of SVT checklist and,after that, optional fields like date, signature, etc.
Fig. 89: End of SVT checklist with optional fields
4.3.7.1.2 How to run SVT1. In Automation Builder, go to the safety CPU application node, e.g., “AC500_S”.2. Right-click the node to open the context menu.3. Select “Create Safety Configuration Data”.4. Select “Verify Safety Project Integrity”.
NOTICE!The “Verify Safety Project Integrity” command may not be active, e.g.,when the safety project is open or when you did not run “Create SafetyConfiguration Data” command before.Save and close the safety project before you use SVT.
5. If working with password protected safety projects, Automation Builder will request forpassword Ä “Access to safety CPU and safety program can be protected by three pass-words.” on page 138.
ð When SVT runs, the Automation Builder user interface is disabled. For large safetyprojects this can take several minutes.When the SVT run is complete, Automation Builder shows a message to indicate thatthe SVT verification is done.
The message shows the path and name of the SVT checklist. The file name containsthe name of the AC500-S safety CPU application node as well as the date and time ofthe SVT run. The date is in ISO format (YYYY-MM-DD) and the time in hours-minutes-seconds (hh-mm-ss) format.
End of SVTchecklist
Configuration and programmingSystem configuration and programming > Checking of program and system configuration
2022/02/043ADR025091M0210, 14, en_US174
The SVT checklist has one data checksum for the whole document file and a data checksum foreach safety device in the safety project.You can use the data checksums to verify whether the safety project has changed. If all of thedata checksums in the SVT checklist are identical, there are no changes in the safety projectand you do not need to repeat the manual checks.Note that upgrading a project to a newer version of Automation Builder may lead to a changedSVT data checksum Ä Step 3 on page 176.
NOTICE!You can run SVT as often as you want to verify your safety project. We recom-mend that you archive the SVT checklists for final project revisions that aretaken into use. You can then use the archived SVT checklists as a referencewhen you verify changes to your safety projects. An archived and verified SVTchecklist allows you to skip sections and safety devices that you have alreadyverified, if the data checksums did not change.You can also skip the manual checks for sections that have identical datachecksums to the previous validated version of the SVT checklist. You onlyneed to do the manual checks for sections in the SVT checklist that have adifferent data checksum.
For large safety projects, you can use suitable software tool to compare two textual versions ofthe SVT checklist to locate any differences.
4.3.7.1.3 How to verify the SVT checklist
NOTICE!The excerpts from an SVT checklist in this section are examples only and havebeen edited to fit. Your SVT checklist may look different depending on theversions of Automation Builder and SVT.
Carefully read through the SVT checklist and mark the corresponding checkbox for each sectionand question in the SVT checklist, if the result of your verification is positive.1. Verify the project information section Ä “How to verify the project information section”
on page 176.2. Verify each safety device section Ä “How to verify the safety device sections”
on page 176.3. Verify the safety CPU section Ä “How to verify the safety CPU section” on page 178.4. Verify the libraries section Ä “How to verify the libraries section” on page 178.5. Verify the end of the SVT checklist Ä “How to verify the end of the SVT checklist”
on page 179.
If the result of your verification for at least one of manual checks in the SVT checklist is negativeor not acceptable, make sure that safety configuration data is up-to-date. If the problems persist,contact ABB technical support for assistance.Each section of the SVT checklist starts with a heading. The end of the SVT checklist isindicated with the text string:
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 175
This section has general information on the SVT checklist. It begins with the time stamp and theversion of SVT. Example of a project information section: Fig. 83 on page 169.
1. Verify that the automatic checks done by SVT have passed:
ð If the automatic checks generate errors, you get an error message Ä “Errors in theautomatic checks” on page 179:
2. In AC500-S Programming Tool, verify that the project information is correct. Mark a posi-tive verification of an item with an "X" in the SVT checklist:
ðNOTICE!Mark the corresponding checkbox for each question in the SVT check-list as in the example above. You can mark the verified items into aprintout or into the text file.
3. Read the data checksum for the whole SVT checklist.Use this data checksum to verify changes to the entire SVT checklist.Check if the data checksum is identical to the previous validated SVT checklist. If theseSVT data checksums are identical, you do not need to do the manual checks.If the data checksums are not identical or if you run SVT for the first time, continue withthe manual checks in the SVT checklist.
4. Verify that all of the safety devices in the Automation Builder project are listed in the SVTchecklist.If a safety device is not in the list, use “Create Safety Configuration Data” from theAutomation Builder and run SVT again. Only configured and connected safety devicesare listed in the SVT because all disconnected devices are handled outside of the givenproject.
ð After the line End of SVT checklist optional fields like date, signature, etc. areincluded.
5. Continue to verify the contents of each safety device section.
Each safety device has a separate section in the SVT checklist that begins with a heading withthe name of the safety device. The information in each safety device section depends on thetype of the safety device Ä “Safety device sections” on page 169.
How to verifythe projectinformation sec-tion
How to verifythe safetydevice sections
Configuration and programmingSystem configuration and programming > Checking of program and system configuration
2022/02/043ADR025091M0210, 14, en_US176
1. Verify that the automatic checks done by SVT for this safety device have passed.
ð If the automatic checks generate errors, you get an error message Ä “Errors in theautomatic checks” on page 179:
2. Read the data checksum for the safety device.Use this data checksum to verify changes to the data for this safety device. If the datachecksum is identical to a previously validated SVT checklist, the data for this safetydevice is identical and you can skip the manual checks for it. If the data checksums arenot identical, repeat all of the manual checks for the safety device.
3. Verify the device type description. For 3rd party devices only, also verify the Module ID.
4. For 3rd party devices, verify that the version of the GSDML file shown in the SVT checklistis identical to the expected version from the safety device vendor.
5. If applicable, verify that the position number of the safety device in the SVT checklistcorresponds to its location in the safety project in Automation Builder. The position numberfor the given safety device can change if their CM589-PNIO(-4) nodes are moved in theproject.
6. Verify the I/O mapping information for the safety device.Note that “Data type” and “I/O” are listed for information only.
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 177
7. Verify F-Parameter values for the safety device.
ðNOTICE!According to PROFIsafe V2.6 protocol, the value "0" (zero) isnot allowed for F-Parameter F_Par_CRC and will be automaticallychanged to "1". For this special case, a corresponding hint will beshown in SVT checklist. For futher details, contact ABB technical sup-port.
Do these manual checks for each safety device in the SVT checklist. You can skip the sectionsfor safety devices only if the data checksum for the safety device is identical to the previouslyvalidated and approved SVT checklist.
1. Verify that the automatic checks done by SVT for the safety CPU have passed.
ð If the automatic checks generate errors, you get an error message Ä “Errors in theautomatic checks” on page 179:
2. Read the data checksum for the safety CPU.Use this data checksum to verify changes to the data for the safety CPU. If the datachecksum is identical to a previously validated SVT checklist, the data for the safety CPUis identical and you can skip the manual checks for it. If the data checksums are notidentical, repeat all of the manual checks for the safety CPU.
3. Verify the value of parameter "PROFIsafe startup timeout".
This section includes the library CRCs of the used safety libraries (Fig. 88 on page 173).
How to verifythe safety CPUsection
How to verifythe librariessection
Configuration and programmingSystem configuration and programming > Checking of program and system configuration
2022/02/043ADR025091M0210, 14, en_US178
1. Read the data checksum for the libaries.Use this data checksum to verify changes of the libraries. If the data checksum is identicalto a previously validated SVT checklist, the libraries are identical and you can skip themanual checks for it. If the data checksums are not identical, repeat all of the manualchecks for the libraries.
2. Verify that the library CRCs correspond to the AC500-S libraries Ä Chapter 4.6 “AC500-Slibraries” on page 192.
Verify that the SVT checklist ends with the line “End of SVT checklist”, and if so, mark thecorresponding checkbox in the project information section (Fig. 89 on page 174).
If there are errors in the automatic consistency checks, SVT shows this with an error messagein the project information section of the SVT checklist.
How to verifythe end of theSVT checklist
Errors in theautomaticchecks
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 179
Fig. 90: Example of an SVT checklist with errors. When there are errors in the automaticconsistency checks, the contents of the project information section of the SVT checklist isslightly different.
1 List of errors encountered by the automatic consistency checks done by SVT2 List of remedies suggested by SVT to correct the causes of errors3 No data checksum is given for the SVT checklist when there are errors4 List of the safety devices indicates which safety devices have generated errors
NOTICE!If you cannot remedy all reported errors with the suggested remedies or other-wise, contact ABB technical support for assistance.
In addition to the project information section, each safety device section with errors has acorresponding message.
Configuration and programmingSystem configuration and programming > Checking of program and system configuration
2022/02/043ADR025091M0210, 14, en_US180
Fig. 91: Example of a safety device section with errors. When there are errors in the automaticchecks for a safety device, the contents of the safety device section of the SVT checklist isslightly different.
1 List of errors for this safety device with exemplary error codes2 No data checksum is given for the safety device when there are errors3 Device identification information to help in troubleshooting the issue
Possible errors generated by SVT:● General errors:
– Internal error in the safety device N. 'XYZ'. For error codes, refer to the section for thissafety device.
– Internal error in safety project. Error code x.– Maximum number of 32 connected F-Devices has been exceeded.
● Errors related to safety devices:– Internal error in the safety device. For error codes, refer to the section for this safety
device.– Internal error in the safety device. Error code x.– Internal error in the safety device or GSDML file. For error codes, refer to the section for
this safety device.– Internal error in the safety device or GSDML file. Error code x.– Internal error in F-Parameters. For error codes, refer to the section for this safety device.– Internal error in F-Parameters. Error code x.– Error in the GSDML file. Error code x.– Missing GSDML file.
● Errors related to F-Parameters or channel mapping:– Internal error. Error code x.– Multiple mappings to an output are not permitted. Use either the parent element or
sub-elements.Possible remedies suggested by SVT to correct errors:● Reinstall the GSDML file of safety device N. 'XYZ' and update this device in Automation
Builder.● Use either the parent element or sub-elements in the safety device N. 'XYZ'● Repeat the “Create Safety Configuration Data” command for your safety project in
Automation Builder.● Delete or disconnect F-Devices in order not to exceed the maximum number of 32.
Summary oferror messages
Configuration and programming
System configuration and programming > Checking of program and system configuration
2022/02/04 3ADR025091M0210, 14, en_US 181
4.4 Safety programming guidelines4.4.1 Overview
AC500-S Programming Tool is suitable for creating safety applications of certain classes if it isused in a suitable environment in conjunction with controllers like AC500-S, specially approvedfor this purpose. This requires certain guidelines to be followed, which are described in thisdocument.
4.4.1.1 Target groupThis document is aimed at users who wish to create safety applications with AC500-S Program-ming Tool.It also serves as a basis for testers who approve safety applications.
4.4.1.2 RequirementsTo understand this document, knowledge of IEC 61131-3 Ä [4] is required.Experience with the creation of safety applications is helpful.
4.4.1.3 TermsOutput - Variable that is mapped to an IEC output address (%Q)Output parameter - VAR_OUTPUT of a program or function blockInputs - Variable that is mapped to an IEC input address (%I)Input parameter - VAR_INPUT of a program, function or function block
4.4.2 Framework4.4.2.1 Safety integrity level (SIL)
AC500-S Programming Tool is suitable for creating applications up to SIL 3. The use of AC500-S Programming Tool is not permitted for higher levels.
4.4.2.2 Approved version of AC500-S Programming ToolThe following product component versions are approved for creating safety applications:
Type of product component Name of product component Version (date)Programming system AC500-S Programming Tool 2.3.9.9 or higher
The version of the AC500-S Programming Tool can be checked via “Help è About”. The correctversion of the runtime system is indicated by SIL 3 approval of the control system through theGerman Technical Inspection Association (TÜV SÜD).
4.4.2.3 Control-specific application notesSafety controllers require a special procedure for loading safety applications. In AC500-S Pro-gramming Tool, the download of the boot project is considered as safe, as it is secured by theappropriate mechanisms.
Configuration and programmingSafety programming guidelines > Framework
2022/02/043ADR025091M0210, 14, en_US182
1. Compile the user application.2. Connect to the controller. This is secured by password protection. It causes automatic
compile of user application, if needed.3. Execute menu item “Online è Create Boot Project”.4. Reboot the controller.
ð It causes loading and starting of the application.
All online commands like the following disable the safe operation:● Download● Online change● Set breakpoint● Write values● Force values● Trace● Single cycle● Start/Stop● Flow controlThe variable monitoring in online mode does not disable the safe operation.
4.4.2.4 Application creation procedureApplication creation must follow the guidelines of relevant safety standards, e.g., IEC 61508for functional safety, IEC 61511 for functional safety in process automation and ISO 13849-1and IEC 62061 for functional safety in machinery. In addition to comprehensive documentationof requirements, architecture and module interfaces, this also includes full functional testing ofall parts of the safety application. This test must be carried out with the machine ior processin its final configuration including mechanical, electrical and electronic components, sensors,actuators, and software. Testing in a special test environment, for example using a debugger,may facilitate passing the final test, but cannot be used as a substitute.
4.4.2.5 SettingsTable 10: The following system settings are required:Setting ValueReplace constants Selected in “Project è Options è Build”
Actions hide programs Selected in “Project è Options è Build”
4.4.2.6 ClassificationIn principle most language constructs can be used in safety applications. However, for someconstructs that are associated with an increased fault potential during application creation thisis only possible to a limited extent and compliance with additional fault prevention measures isstrongly recommended. These measures are listed with the respective construct.
Procedure inAC500-S Pro-gramming Toolfor loadingsafety applica-tion
Configuration and programming
Safety programming guidelines > Framework
2022/02/04 3ADR025091M0210, 14, en_US 183
4.4.3 Language-specific programming guidelines4.4.3.1 Safety-related restrictions for developers
There are some restrictions to developing safety applications with AC500-S Programming Toolwhich have to be secured by organizational means. These are as follows:● For safety applications, visualizations in AC500-S Programming Tool are allowed for dis-
playing purposes only. Changing values via controls (e.g., "Write values" Ä Chapter 4.4.2.3“Control-specific application notes” on page 182) would cause the runtime system to switchinto non-safe mode without necessarily telling the user.
4.4.3.2 LanguageOf the IEC 61131-3 languages supported in AC500-S Programming Tool, "Structured Text" (ST),"Function Block Diagram" (FBD) and "Ladder Logic Diagram" (LAD) are approved for creatingsafety applications.
4.4.3.3 Task systemDue to poor testability it is only advisable to a limited extend to use multitasking for safetyapplications. For an application created with AC500-S Programming Tool this means:● The complete application consisting of safety parts and non-safety parts should be called
from program "PLC_PRG". To achieve a well arranged structure of the program, no logicprocessing should be programmed in "PLC_PRG". Assignments, calls to programs, functionblocks or functions are allowed.
● The controller-specific options for monitoring total execution time must be activated and setsignificantly below the fault tolerance time.
4.4.3.4 Variable declarationsOf the variable types and attributes defined in IEC 61131-3 the following are suitable for creatingsafety applications:
Keyword Description Suitable (yes / to a limited extent /no) (comment)
VAR Local block variable Yes
VAR_INPUT Block input parameter Yes
VAR_OUTPUT Block output parameter Yes
VAR_IN_OUT Block reference parameter To a limited extent. (To illustrate theside effect the parameter should beidentified with a prefix. Even betterwould be to use an input and outputparameter instead.)
VAR_GLOBAL Global variable Yes. (We strongly recommend identi-fying global variables with a prefix suchas "G_" or "GS_" (for safety variables).)
VAR_EXTERNAL Declaration of global variables used in theblock
Yes
AT Variable address allocation To a limited extent Ä Chapter 4.4.3.5“Direct addresses” on page 185
CONSTANT Declaration as constant (no write accesspossible)
Yes. (We recommend to declare eachconstant explicitly.)
Configuration and programmingSafety programming guidelines > Language-specific programming guidelines
2022/02/043ADR025091M0210, 14, en_US184
Keyword Description Suitable (yes / to a limited extent /no) (comment)
RETAIN Variable value is preserved after switch-off No, not supported
PERSISTENT Variable value is preserved after reloading No, not supported
In the interest of better readability the following rules should be followed for the declaration ofvariables:● Only one block of declaration type (e.g., VAR, VAR_INPUT, VAR_OUTPUT, VAR_IN_OUT,
VAR_GLOBAL and combinations with CONSTANT) per component● Only one variable declaration per line with informative comment
Bad:VAR A, B, C: BOOL; (* several variables *)END_VARGood:VAR A: BOOL; (* first variable *) B: BOOL; (* second variable *) C: BOOL; (* third variable *)END_VAR
● Local variables (VAR) should always have a different name. Obscuring of global variablesthrough local variables must be avoided.
4.4.3.5 Direct addressesThe following rules must be followed when using addresses for creating safety applications:● No application of addresses directly in the program code. Each used address must be
assigned to a variable with "AT" in the declaration. In addition, we recommend identifyinginput/output variables through a prefix and defining them together in a single variable list.
● The application of marker addresses (%M) should be limited to a minimum due to theerror-proneness of the allocation and the lack of purpose (memory for variables is allocatedautomatically).
● Multiple address allocation should be avoided due to obscure side effects. For word-and bit-wise access a variable is defined for the word and accessed via bit access <var-iable>.<bit number>.
● No address declarations within programs, function blocks, functions and data structures.
4.4.3.6 Data typesOf the data types useable in AC500-S Programming Tool the following are approved for creatingsafety applications:
Table 11: Simple data typeKeyword Suitable (yes / to a limited extent / no) (comment)BOOL Yes
BYTE, SINT, USINT Yes
WORD, INT, UINT Yes
DWORD, DINT, UDINT Yes
TIME, TOD, DATE, DT Yes
Configuration and programming
Safety programming guidelines > Language-specific programming guidelines
2022/02/04 3ADR025091M0210, 14, en_US 185
Keyword Suitable (yes / to a limited extent / no) (comment)STRING To a limited extent. (Technically possible, although it makes little sense due to the
lack of safety input/output devices.)
REAL To a limited extent. (Prone to error through rounding errors, therefore no querywith EQ operator; check for invalid operations such as division by zero, squareroot of a negative number, logarithm of a negative number.)
Table 12: Complex data typesKeyword Suitable (yes / to a limited extent / no) (comment)ARRAY To a limited extent. (Only with explicit range check, otherwise too prone to errors.)
STRUCT Yes
Listing types Yes
Subrange types Yes
POINTER To a limited extent. (Recommended measures: no pointer arithmetic, range check,new allocation of pointer value at the start of each cycle.)
The following rules must be followed when complex data types are used:● For complex data types we recommend using type declarations.● Before each access to an array an explicit range check of the index should be carried out. In
the event of a violation that cannot be explained through the application, the control systemshould be switched to a safe state.
DANGER!The memory access using POINTERs (e.g., ADR function) is error-prone andis generally not recommended. If used in safety applications, then the respon-sibility for correct usage of these and related functions lies entirely with theorganization and persons who use those functions in AC500-S safety PLC.
4.4.3.7 BlocksAll IEC 61131-3 block types are suitable for creating safety applications:● PROGRAM● FUNCTION● FUNCTION_BLOCK
If blocks are used, the following programming guidelines should be followed:● Functions and function blocks must not affect global application states. This can be
achieved through write access to global data and by calling system components.● Explicit parameter transfer is preferable for calling programs and function blocks.
Bad:Inst.Param1 := 7;Inst.Param2 := 3;Inst();X := (Inst.Out1 AND A) OR B;Good:Inst(Param1 := 7, Param2 := 3, Out => Result);X := (Result AND A) OR B;
● All input parameters should be assigned for a call.
Configuration and programmingSafety programming guidelines > Language-specific programming guidelines
2022/02/043ADR025091M0210, 14, en_US186
4.4.3.8 LibrariesExternal libraries approved by the manufacturer of the control system (i.e. implemented in thefirmware of the control system) may be used for safety applications.Of the standard libraries available in AC500-S Programming Tool only the following areapproved:
Library Description Version (date)Safety_Standard.lib (formerStandard.lib)
Standard IEC 61131-3 functions:● Timer● Counter● Trigger● Flip-flops● String processing
2.3 (04.10.2005) or higher
User libraries created by the manufacturer of the control system or the end user may be used.On insert of a library, it has to be checked whether the selected library was actually inserted.The respective information is shown when the library is inserted.
4.4.3.9 Expressions4.4.3.9.1 General
The following general rules must be followed for programming of expressions in safety applica-tions:● Mixing of different data types in an expression should be avoided. If mixing is unavoidable
explicit type conversion should be used instead.● The complexity of expressions should be minimized through the following measures:
– Limitation of nesting depth (e.g., no more than 3 nesting levels) per expression.– No more than 10 operators and 10 operands per expression.– No application of expressions in array indices of array access.– No application of expressions in function parameters, function block parameters or
program parameters.
4.4.3.9.2 ConstantsIn the interest of more transparent semantics constants should either be declared explicitly orassociated with explicit typification.Bad:VAR size: REAL; diameter: REAL;END_VARsize:= diameter * 3.14;Good:VAR CONSTANT PI: REAL := 3.14;END_VARVAR size: REAL;
Configuration and programming
Safety programming guidelines > Language-specific programming guidelines
2022/02/04 3ADR025091M0210, 14, en_US 187
diameter: REAL;END_VARsize:= diameter * PI;Also good:VAR size: REAL; diameter: REAL;END_VARsize:= diameter * REAL#3.14;
4.4.3.9.3 AssignmentsIf assignments are used, the following programming guidelines should be followed:● For each instruction only one assignment is permitted. The complex expression assign-
ments possible in AC500-S Programming Tool must not be used for safety applications.Bad:Res1 := Res2 := FunCall(1, C := D, 3);Good:C := D;Res2 := FunCall(1, C, 3);Res1 := Res2;
● The implicit conversion between unsigned, signed and bit string types realized in AC500-SProgramming Tool and the extension of smaller types to larger types during assignmentshould not be used. Explicit conversion should be used instead.
4.4.3.9.4 ParenthesesThrough definition of priorities for operators each expression is uniquely defined even withoutparentheses. However, in order to avoid mistakes and improve readability the use of paren-thesis is highly recommended except in very familiar cases (multiplication/division before addi-tion/subtraction).Bad:X := A < B AND NOT A > C + D OR E;Good:X := (A < B) AND NOT(A > (C + D)) OR E;
4.4.3.9.5 Bit accessBit access (<variable>.<bit number>) is approved for creating safety applications and shouldalso be used instead of the regularly used multiple address allocation.Bad:VAR_GLOBAL Flags AT %QW12: WORD; Enable AT %QX12.0: BOOL;END_VARFlags := 0;Enable := TRUE;
Configuration and programmingSafety programming guidelines > Language-specific programming guidelines
2022/02/043ADR025091M0210, 14, en_US188
Good:VAR CONSTANT EnableBit: INT := 0;END_VARVAR Flags AT %QW12: WORD;END_VARFlags := 0;Flags.EnableBit := TRUE;
4.4.3.9.6 ConversionsNo implicit type conversions should be used for assignments and mixed types, i.e., only explicitconversions should be used.Bad:VAR A: BYTE; B: INT; C: DWORD;END_VARC := A + B;Good:VAR A: BYTE; B: INT; C: DWORD;END_VARC := INT_TO_DWORD(B + BYTE_TO_INT(A));
4.4.3.10 OperatorsThe following table indicates the suitability of operators for creating safety applications.
Keyword Suitable (yes / to a limited extent / no) (comment)AND, OR, NOT, XOR Yes
+, -, *, /, MOD Yes. (Division should include an explicit test for divisor <> 0.)
=, <>, >, >=, <, <= Yes
SQRT, SIN, COS, TAN,ASIN, ACOS, ATAN, LOG,LN, EXPT, EXP
To a limited extent. (Prone to error through rounding errors.)
MIN, MAX, LIMIT Yes
MUX, SEL Yes. (Please note: branches that are not selected are not executed. This can leadto problems if functions calling system libraries are used.)
Configuration and programming
Safety programming guidelines > Language-specific programming guidelines
2022/02/04 3ADR025091M0210, 14, en_US 189
Keyword Suitable (yes / to a limited extent / no) (comment)TIME Yes
ADR To a limited extent. (Required for POINTERS that may be used to a limited extent.)
INDEXOF To a limited extent. (Only used as parameter for runtime system functions. Thefunction used should be treated like an independent task.)
SIZEOF Yes
ROL, ROR, SHR, SHL Yes
4.4.3.11 Language constructsThe following ST language control elements are suitable for creating safety applications:
Keyword Suitable (yes / to a limited extent / no) (comment)IF Yes
CASE Yes
FOR Yes
WHILE To a limited extent. (Proof of avoidance of an infinite loop is required.)
REPEAT To a limited extent. (Proof of avoidance of an infinite loop is required.)
EXIT To a limited extent. (Exits a loop immediately. A loop should only be exited throughits end condition leave.)
RETURN To a limited extent. (Exits a subroutine immediately. A subroutine should only beexited once all instructions have been processed.)
4.4.4 General programming guidelinesIn addition to language-specific guidelines, errors should be avoided through compliance withadditional general guidelines. These guidelines are listed here in no particular order:● Few states
States in the form of variables that retain their value beyond a control cycle hamper thetestability of an application. This can be avoided with the following measures:– Avoidance of states wherever possible– A state variable should only be described once per cycle. This facilitates tracing of
errors if a state has an invalid value.– If a state consists of several variables it should be encapsulated in a function block.
State transitions should only be affected by calling the block.● No warnings
A safety application must not generate compiler warnings!● Limited number of rows (500) per block
In the interest of transparency, a block should have no more than 500 rows.● Limited number of characters per row (150)
In the interest of transparency, a row should have no more than 150 characters● No re-use of variables
Each variable should only be used for one purpose. Application in another context, even ifthe previous purpose is no longer important, involves a significant fault potential, particularlyfor modifications.
● Variables as local as necessaryVariables that are only described in one block must be declared locally. The only exceptionis variables that are linked with addresses. These should be declared globally in order toavoid multiple assignments.
Configuration and programmingSafety programming guidelines > General programming guidelines
2022/02/043ADR025091M0210, 14, en_US190
● Only one access to outputAs for states, outputs should only be written to at one point in the program.
● No access to global variables from functions and function blocksA function should have no side effects, a function block should only change the state of itsown instance. Functions and function blocks should therefore not access global variables.
4.4.5 Safety and non-safety parts of the applicationFor very complex applications, it is advisable to transfer all safety application parts to a separatecontrol system. If this is not possible, the application parts should be separated through thefollowing measures:● Blocks (programs, function blocks and functions) are either safety blocks or not. All safety
blocks should be identified through a prefix (e.g., "S_").● Calls of non-safety blocks in safety blocks are not permitted. This must be checked with the
"Show project call tree" function.● Calls of safety blocks in non-safety blocks are limited to standard functions. This must be
checked with the "Show project call tree" function.● Global variables are either safety or not. All safety variables should be identified through
a prefix (e.g., "S_"). All safety variables are defined in separate variable lists that are alsoidentified through a prefix.
● Write access to safety variables from non-safety blocks is not permitted. This must bechecked with the "Show project cross-reference list" function.
● Write access to non-safety variables from safety blocks is not permitted. This must bechecked with the "Show project cross-reference list" function.
● The following measures should also be adhered to in the non-safety part:– Limited application of pointers– Range check of indices before write access to fields (ARRAY)– No multiple address allocation
4.5 Safety code analysis toolInstead of manually checking the safety programming guidelines, one can use ABB softwaretool "AC500-S Safety Code Analysis" (SCA) to automatically check most of the safety rules.The detailed description on how to use ABB SCA tool can be found at www.abb.com/plc and inits help system. AC500-S SCA tool can be downloaded for free from www.abb.com/plc.There are rules which still have to be checked manually Ä Table 13 “Safety programming rulesto be checked manually” on page 191. AC500-S SCA tool is not able to detect them in thesafety application program.
Table 13: Safety programming rules to be checked manuallyRule for manual check in AC500-S Programming Tool Comments (relevance for AC500-S)Verify that the watchdog is activated. Verify that the watchdog time isset sufficiently shorter than the process failure response time.
Use a special library POUSF_WDOG_TIME_SET Ä Chapter 4.6.7.3“SF_WDOG_TIME_SET” on page 318
Verify that there is only one task. AC500-S supports only one task, thus,there is no need for this check.
Verify that, other than standard libraries, only libraries certified forsafety applications are used.
These rules are included in Ä Chapter 6.2“Checklist for creation of safety applicationprogram” on page 343For each POU, verify that there are no unnecessary state variables.
Configuration and programming
Safety code analysis tool
2022/02/04 3ADR025091M0210, 14, en_US 191
Rule for manual check in AC500-S Programming Tool Comments (relevance for AC500-S)Verify that the following holds for all function blocks: If more thanone variable is used to store state information, encapsulate thesevariables into their own function block and only use calls on thisfunction block to change the state.
Verify that the compiler reports neither errors nor warnings whencompiling the application.
For each POU, verify that variables are not re-used later on with adifferent meaning.
Verify that the names of safety POUs start with "S_". Verify that thenames of non-safety POUs do not start with "S_".
These rules have to be checked only if youplan to implement not only safety but alsonon-safety functions on AC500-S safetyCPU. In typical applications with AC500-Sit is not the case, because non-safety func-tions are realized on non-safety CPUs.
Verify that names of safety variables start with "S_".Verify that names of global safety variables start with "GS_".Verify that names of safety inputs start with "IS_".Verify that names of safety outputs start with "OS_".Verify that names of non-safety variables do not start with either"S_", "GS_", "IS_" or "OS_".
Verify that names of global variable lists containing non-safety varia-bles do not start with S_.
Verify that names of global variable lists containing safety variablesstart with S_.
For each non-safety POU, verify that it does not write to any safetyvariable.
4.6 AC500-S libraries4.6.1 Overview
The following safety libraries are certified by TÜV SÜD and are allowed to be used withAC500-S safety PLC.
Table 14: Safety librariesLibrary name / version Library CRC DescriptionSafety_Standard.libVersion 2.3
fd5d3581 Standard safety functions of AC500-S safetyCPUs
Safety_SysLibTime.libVersion 2.4.0.6
672b8325 Internal time system library(Internal use only!)
SafetyBase_PROFIsafe_LV210_AC500_V22.libVersion 2.1.0
8069df7b PROFIsafe F-Host and Safety I/O basefunctionsÄ Table 122 “Version history of library Safe-tyBase_PROFIsafe” on page 421
SafetyBlocks_PLCopen_AC500_v22.libVersion 1.0.0
b6e0bc60 PLCopen Safety library
SafetyDeviceExt_LV100_PROFIsafe_AC500_V27.libVersion 1.0.0
2eadeae9 PROFIsafe F-Device function on safety CPU
Configuration and programmingAC500-S libraries > Overview
2022/02/043ADR025091M0210, 14, en_US192
Library name / version Library CRC DescriptionSafetyExt2_LV110_AC500_V27.libVersion 1.1.0
aa3be9be Safety functions for safety CPU:● triggering of safe stop● reading of configured maximum power
dip value● reading of boot project CRC● Specific functions for user-defined CRC
calculationThese are additional functions to thoseavailable in SafetyExt_AC500_V22.lib.Ä Table 125 “Version history of library Safe-tyExt2” on page 422
SafetyExt_AC500_V22.libVersion 1.0.0
72a88162 Safety functions for safety CPU cycle moni-toring, under- and overvoltage supervision,data exchange with non-safety CPU, userdata storage in the flash memory, etc.
SafetyUtil_CoDeSys_AC500_V22.libVersion 1.0.0
6b29c54 Internal safety utilities of the safety CPU(Internal use only!)
SysLibCallback.libVersion 2.4.0.6
62ad210d Internal safety library (not shown in LibraryManager)(Internal use only!)
Target_AC500_V22.libVersion 3.4.0.6
8daa436 Internal AC500 library (not shown in LibraryManager)(Internal use only!)
4.6.2 Safety_Standard.libOnly a short description is provided for standard POUs from Safety_Standard.lib. For moredetailed information about standard functions refer to Ä [3].
Bistable function, reset dominantQ1 = NOT RESET1 AND (SET OR Q1)
Software semaphore. Interruptible!BUSY is TRUE, if there was a call with CLAIM = TRUE,but no call with RELEASE = TRUE.CLAIM = TRUE sets BUSY = TRUE;RELEASE = TRUE sets BUSY = FALSE;
RS
SEMA
Configuration and programming
AC500-S libraries > Safety_Standard.lib
2022/02/04 3ADR025091M0210, 14, en_US 193
Bistable function, set dominantQ1 = SET1 OR (NOT RESET AND Q1)
Counter down.CV is decremented by 1 if CD has a rising edge.Q is TRUE, if CV reached 0.
Counter up.CV is incremented by 1 if CU has a rising edge.Q is TRUE, if CV is reached PV.
Counter up downCV is incremented by 1 if CU has a rising edge.CV is decremented by 1 if CD has a rising edge.QU is TRUE, if counter is PV.QD is TRUE, if counter is 0.
Concatenation of two strings.
SR
CTD
CTU
CTUD
CONCAT
Configuration and programmingAC500-S libraries > Safety_Standard.lib
2022/02/043ADR025091M0210, 14, en_US194
Delete LEN characters of STR, beginning at the POS-th character position.POS = 1 is the first character.
Find the character position of the beginning of the first occurrence of STR2 in STR1.If no occurrence of STR1 is found, then the result is 0.
Insert STR2 into STR1 after the POS-th character position.POS = 0 inserts before the first character.POS = 1 inserts after the first character.
Return leftmost SIZE characters of STR.
String length function.Returns the number of characters in STR.
Return LEN characters of STR, beginning at the POS-th character position.POS = 1 is the first character.
DELETE
FIND
INSERT
LEFT
LEN
MID
Configuration and programming
AC500-S libraries > Safety_Standard.lib
2022/02/04 3ADR025091M0210, 14, en_US 195
Replaces L characters of STR1 by STR2,starting at the POS-th character position and returns the new string.POS = 1 is the first character.
Returns rightmost SIZE characters of STR.
Sets CDT to PDT when rising edge in EN and starts increasing CDT.With EN = FALSE, CDT set to DT#1970-01-01-00-00:00
Timer of delay.Q is FALSE, PT milliseconds after IN had a falling edge.
Timer on delay.Q is TRUE, PT milliseconds after IN had a rising edge.
Timer pulse.Q produces a high-signal with the length of PT on every rising edge on IN.
REPLACE
RIGHT
RTC
TOF
TON
TP
Configuration and programmingAC500-S libraries > Safety_Standard.lib
2022/02/043ADR025091M0210, 14, en_US196
Falling edge detection.
Rising edge detection.
4.6.3 SafetyBase_PROFIsafe_LV210_AC500_V22.libThis library includes a PROFIsafe stack implementation (PROFISAFESTACK POU), which is amain F-Host component.
NOTICE!When updating this library in existing projects, consider the following.The use of library version V2.1.0 (or higher) results in a higher data memoryload for each instantiated F-Submodule, compared to older versions of thelibrary, e.g., V2.0.0.
NOTICE!Only for PROFIsafe communication according to PROFIsafe protocol versionV2.4:Loop-back check via bit 7 in status / control byte of PROFIsafe telegramis implemented, which means that no further considerations against system-atic loop-back configuration errors shall be performed by end-users (refer towww.profisafe.net for further details).
DANGER!Not more than one communication error (CE_CRC or Host_CE_CRC outputsignals become equal to TRUE) per 100 hours is allowed to be acknowledgedby the operator using OA_C input signal without consulting the responsiblesafety personnel (refer to www.profisafe.net for further details).
F_TRIG
R_TRIG
Configuration and programming
AC500-S libraries > SafetyBase_PROFIsafe_LV210_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 197
This function block represents a PROFIsafe F-Host instance to control and monitor the status ofthe given F-Device (safety I/O module, etc.) Ä [2].Supported features (relating on the GSDML definitions of the F-Devices):● "Short" process data frames according to PROFIsafe V2.4 protocol specification (max.
12 bytes)● "Short" process data frames according to PROFIsafe V2.6 protocol specification (max.
13 bytes)● "Long" process data frames according to PROFIsafe V2.6 protocol specification (max.
123 bytes)● RIOforFA profile Ä Chapter 4.6.3.1 “RIOforFA profile” on page 201● Feature "Reaction on Device Fault" Ä Chapter 4.6.3.2 “Feature "Reaction on Device Fault"”
on page 202● Feature "Disable F-(Sub)Module" Ä Chapter 4.6.3.3 “Feature "Disable F-(Sub)Module"”
on page 202
NOTICE!Both features "Reaction on device fault" and "Disable F-(Sub)Module" can beoperated simultaneously.
Table 15: FB name: PROFISAFESTACKName Data type Initial value Description, parameter valuesVAR_INPUTactivate_FV_C BOOL FALSE Command (= TRUE) to activate fail-safe values in
F-Device or (= FALSE) for normal F-Device operation
OA_C BOOL FALSE Command (= TRUE) for operator acknowledgmentand resume of safety function by F-Device
iPar_EN_C BOOL FALSE This variable TRUE allows a safety control pro-gram to switch the F-Device into a mode duringwhich it will accept iParameters. This mode isnot supported by AC500-S safety I/O modules(DI581-S, DX581-S, AI581-S) and safety CPUsSM560-S-FD-1 / SM560-S-FD-4
pIODesc POINTER NULL Internal input parameter (internal use only!)OAD_Nec_C BOOL FALSE Ä Chapter 4.6.3.2 “Feature "Reaction on Device
Fault"” on page 202
Disable_C BOOL FALSE Ä Chapter 4.6.3.3 “Feature "Disable F-(Sub)Module"” on page 202
VAR_OUTPUT
Configuration and programmingAC500-S libraries > SafetyBase_PROFIsafe_LV210_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US198
Name Data type Initial value Description, parameter valuescons_nr_R BOOL FALSE This parameter is for debugging purposes only.
It is set when the F-Device has reset its consecutivenumber counter in PROFIsafe communication Ä [2].
Toggle_d BOOL FALSE This parameter is for debugging purposes only.It is a device-based toggle bit indicating a trigger toincrement the virtual consecutive number within theF-Host Ä [2].
FV_activated_S BOOL FALSE With input devices this variable indicates if TRUEthat the driver is delivering fail-safe values "0" to theF-Host program for every input value.With output devices this variable indicates if TRUEthat every output is set to fail-safe values "0" (defaultbehavior) or F-Output device specific value controlledby the "activate_FV" signal Ä [2].
OA_Req_S BOOL FALSE This variable indicates a request for acknowledgmentprior to the resumption of a safety function. In casethe F-Host driver or F-Device detects a communi-cation error or F-Device fault, fail-safe values willbe activated. F-Device driver then sets the variableOA_Req_S (= TRUE) as soon as the fault/error hasbeen eliminated and operator acknowledgment ispossible. Once the acknowledgment occurred (OA_C= TRUE) the F-Device driver will reset the requestvariable OA_Req_S (= FALSE) Ä [2].
WD_timeout BOOL FALSE This parameter is for debugging purposes only.It is set to TRUE if the F-Device is recognizing acommunication failure, i.e. if the watchdog time in theF-Device is exceeded Ä [2].
CE_CRC BOOL FALSE This parameter is for debugging purposes only.It is set if the F-Device is recognizing a communica-tion failure, i.e. if the consecutive number is wrong(detected via CRC2 error in V2-mode) or the dataintegrity is violated (CRC error) Ä [2].
Device_Fault BOOL FALSE This parameter is set to TRUE if there is a malfunc-tion in the F-Device (e.g., under- or overvoltage)Ä [2].If RIOforFA profile is active (F_Passivation = 1),Device_Fault is always FALSE Ä Chapter 4.6.3.1“RIOforFA profile” on page 201.
iPar_OK_S BOOL FALSE This parameter is set to TRUE when F-Device hasnew parameter values assigned Ä [2].
Host_CE_CRC BOOL FALSE This parameter is for debugging purposes only.This parameter is set to TRUE if communication fault(CRC error on F-Host side) occurred.
HostTimeout BOOL FALSE This parameter is for debugging purposes only.This parameter is set to TRUE if communication fault(timeout on F-Host side) occurred.
Configuration and programming
AC500-S libraries > SafetyBase_PROFIsafe_LV210_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 199
Name Data type Initial value Description, parameter valuestResponseTimeMS TIME 16#0000 This parameter is for debugging purposes only.
It represents the current response time for F-Devicein ms. This value shall be smaller than the definedF_WD_Time parameter for the given F-Device. Ifnot, then the passivation of the given F-Device willhappen.
Disable_S BOOL FALSE Ä Chapter 4.6.3.3 “Feature "Disable F-(Sub)Module"” on page 202
The FB instances for all F-Devices are automatically generated and can be found in safetyproject in “Resources è Global Variables è PROFIsafe” (Fig. 92 on page 201). These FBinstances, as normal global variables, can be accessed by end-users from their safety applica-tion programs.
DANGER!Avoid unintended behaviorOnly valid if input OAD_NEC_C = FALSE.To avoid unintended behavior, e.g., unintended restart of 3rd party PROFIsafedevices, pay special attention to the description of PROFIsafe Device_Fault bitin the safety user manual for those devices.It is highly recommended to continuously supervise Device_Fault bit of 3rdparty PROFIsafe actuator devices like valves, etc. to avoid unintended restart ofthose after, e.g., power failure. If Device_Fault = 1 is detected for such devices,then the safety application shall passivate the module with activate_FV_C =1. The permission for restart (activate_FV_C = 0) shall be handled in thesafety application using the functionality similar to that of FB SF_OutControlÄ Chapter 4.6.4.17 “SF_OutControl” on page 293.
Configuration and programmingAC500-S libraries > SafetyBase_PROFIsafe_LV210_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US200
Fig. 92: FB instances for F-Devices
Note, that SafetyBase_PROFIsafe_LV210_AC500_V22.lib library also includes a number ofinternal POUs (GetWord, MappingIn, MappingOut and SMemCpy) related to safety I/O han-dling. These POUs are for internal use only!
4.6.3.1 RIOforFA profileRIOforFA profile handles channel-granular errors with "qualifier bits" which are transmitted in theprocess data frame in addition to the I/O process values, as proposed in Ä [12].Precondition: F-Parameter F_Passivation is set to 1 = "Channel" which is only accepted ifF-Parameter F_CRC_Seed = 1, indicating a PROFIsafe V2.6 F-Device.RIOforFA is only useable if offered from the F-Device by defined entries in the GSDML file(definition of additional qualifier bits associated to each I/O channel in combination with theF-Parameters mentioned above).The advantage is that errors are offered immediately on channel-scope on which the safetyapplication can react. If RIOforFA is active, the F-Host does not apply its output signalDevice_Fault since it is not present in the PROFIsafe status byte (always FALSE). If at leastone channel error disappears, the F-Host indicates it by setting output signal OA_Req_S. Afteracknowledgement (OA_C = TRUE), the F-Device sets the corresponding channel qualifier bit toTRUE to indicate that the channel delivers a valid value again.
Configuration and programming
AC500-S libraries > SafetyBase_PROFIsafe_LV210_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 201
NOTICE!If PROFIsafe error and channel passivation happened, two edges False ➝ Trueon OA_C are required: The first one acknowledges the PROFIsafe error, thesecond one the channel passivation.The application can detect that a PROFIsafe error happened on the FV_acti-vated_S output.
4.6.3.2 Feature "Reaction on Device Fault"According to Ä [2], annex C.1
Precondition: RIOforFA profile is not activated (F-Parameter F_Passivation = 0, symbolicvalue "Device/Module").
Set the F-Host input OAD_Nec_C = TRUE (OperatorAcknowledgeDevicefault_Neces-sary).
ð "Reaction on Device Fault" is activated.
Behavior with OAD_Nec_C = TRUE ("Reaction on Device Fault" is activated):In case the F-Host or an F-Device detects a F-(Sub)Module error (Device_Fault = TRUE),fail-safe values will be activated until an error is cleared and acknowledged. The F-Host thensets the output OA_Req_S (= TRUE) as soon as the error has been eliminated and operatoracknowledgment is possible. As soon as it is acknowledged (OA_C = TRUE) the F-Host driverwill reset the request variable OA_Req_S (= FALSE).Behavior with OAD_Nec_C = FALSE ("Reaction on Device Fault" is not activated):In case the F-Host or an F-Device detects a F-(Sub)Module error (Device_Fault = TRUE),fail-safe values will be activated until an error is cleared. Acknowledgement is not needed.Ä “Avoid unintended behavior” on page 200
4.6.3.3 Feature "Disable F-(Sub)Module"According to Ä [2], annex C.2.F-Devices that should be shut down due to energy efficiency reasons or for tool changes requirean F-Host extension that allows to ignore host timeout/CRC errors.After the application sets Disable_C = TRUE, the F-Host is requested to use fail-safe values forthis F-Device.Disable_S = TRUE reports the application that the F-Host is now using fail-safe values.Timeout/CRC errors from the F-Device are ignored while Disable_S = TRUE.
4.6.4 SafetyBlocks_PLCopen_AC500_v22.libA list of supported PLCopen Safety POUs is presented in the following sub-chapters. Thedeveloped PLCopen Safety POUs are based on Ä [8].
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US202
NOTICE!The referenced standards in the following sub-chapters are used for informationonly:– EN 954-1:1996– IEC 60204-1 Ed. 5.0:2003– IEC 61496-1:2004– IEC 62046/Ed.1:2005– ISO 12100-2:2003– MRL 98/37/EC, Annex I– EN 418:1992– EN 574:1996– EN 1088:1995– EN 953:1997Use for functional safety certification the newest functional safety standardsÄ Chapter 1.8 “Applicable standards” on page 13.
4.6.4.1 IntroductionGeneric parameters and diagnostic codes of PLCopen Safety POUs are presented below.
Table 16: General input parametersName Type DescriptionActivate BOOL Variable or constant.
Activation of the FB. Initial value is FALSE.This parameter can be connected to the variable, which represents thestatus (active or not active) of the relevant safety device. This ensures noirrelevant diagnostic information is generated if a device is disabled.If FALSE, all output variables are set to the initial values.If no device is connected, a static TRUE signal must be assigned.
S_StartReset BOOL Variable or constant.FALSE (= initial value): Manual reset when PES is started (warm or cold).TRUE: Automatic reset when PES is started (warm or cold).This function shall only be activated if it is ensured that no hazard can occurat the start of the PES. Therefore the use of the automatic circuit resetfeature of the function blocks requires implementation of other system orapplication measures to ensure that unexpected (or unintended) start-updoes not occur.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 203
Name Type DescriptionS_AutoReset BOOL Variable or constant.
FALSE (= initial value): Manual reset when emergency stop button isreleased.TRUE: Automatic reset when emergency stop button is released.This function shall only be activated if it is ensured that no hazard canoccur at the start of the PES. Therefore the use of the automatic circuitreset feature of the function blocks requires implementation of other systemor application measures to ensure that unexpected (or unintended) startupdoes not occur.
Reset BOOL Variable. Initial value is FALSE.Depending on the function, this input can be used for different purposes:● Reset of the state machine, coupled error and status messages as
indicated via DiagCode, when the error cause has been removed. Thisreset behavior is designed as an error reset.
● Manual reset of a "restart interlock" by the operator (refer to EN 954-1).This reset behavior is designed as a functional reset.
● Additional FB-specific reset functions.This function is only active on a signal change from FALSE to TRUE. Astatic TRUE signal causes no further actions, but may be detected as anerror in some FBs.The appropriate meaning must be described in every FB.
Table 17: General output parametersName Type DescriptionReady BOOL If TRUE, indicates that the FB is activated and the output results are
valid (same as the "POWER" LED of a safety relay). If FALSE, the FBis not active and the program is not executed. Useful in debug mode or toactivate/deactivate additional FBs, as well as for further processing in thefunctional program.
Error BOOL Error flag (same as "K1/K2" LED of a safety relay). When TRUE, indicatesthat an error has occurred, and the FB is in an error state. The relevanterror state is mirrored at the DiagCode output.If FALSE, there is no error and the FB is in another state. This again ismirrored by DiagCode (this means that DiagCode must be set in the samecycle as the state change).Useful in debug mode as well as for further processing in the functionalprogram.
DiagCode WORD Diagnostic register.All states of the FB (active, not active and error) are represented by thisregister. This information is encoded in hexadecimal format in order to rep-resent more than 16 codes. Only one consistent code is represented at thesame time. In the event of multiple errors, the DiagCode output indicatesthe first detected error.Ä Table 18 “General diagnostic code ranges” on page 205Ä Table 19 “System or device-specific codes” on page 205Ä Table 20 “General diagnostic codes” on page 205
Useful in debug mode as well as for further processing in the functionalprogram.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US204
A transparent and unique diagnostic concept forms the basis of all function blocks. Thus, itis ensured, that, regardless of the supplier's implementation, uniform diagnostic informationis available to the user in the form of DiagCode. If no error is present, the internal statusof the function block (state machine) is indicated. An error is indicated via a binary output(error). Detailed information about internal or external function block errors can be obtained viaDiagCode. The function block must be reset via the different reset inputs.Suppliers may add additional interfaces via function blocks with supplier-specific diagnosticinformation.
Table 18: General diagnostic code rangesDiagCode Description0000_0000_0000_0000bin The FB is not activated or safety CPU is halted.
10xx_xxxx_xxxx_xxxxbin Shows that the activated FB is in an operational state without an error.X = FB-specific code.
11xx_xxxx_xxxx_xxxxbin Shows that the activated FB is in an error state.X = FB-specific code.
Table 19: System or device-specific codesDiagCode Description0xxx_xxxx_xxxx_xxxxbin X = system or device-specific message. This information contains the diag-
nostic information for the system or device, and is mapped directly to theDiagCode output. (Note: 0000hex is reserved)
Table 20: General diagnostic codesDiagCode Description0000_0000_0000_0000bin
0000hex
The FB is not activated. This code represents the Idle state.For a generic example, the I/O setting could be:Activate = FALSES_In = FALSE or TRUEReady = FALSEError = FALSES_Out = FALSE
0111_1111_1111_1111bin
7FFFhex
Value 16#7FFF at DiagCode output of PLCopen Safety function blocksindicates an internal error.Contact ABB technical support.Note:This is a manufacturer-specific value defined by AC500-S safety PLC.
1000_0000_0000_0000bin
8000hex
The FB is activated without an error or any other condition that sets thesafety output to FALSE. This is the default operational state where theS_Out safety output = TRUE in normal operation. For a generic example,the I/O setting could be:Activate = TRUES_In = TRUEReady = TRUEError = FALSES_Out = TRUE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 205
DiagCode Description1000_0000_0000_0001bin
8001hex
An activation has been detected by the FB and the FB is now activated, butthe S_Out safety output is set to FALSE. This code represents the Init stateof the operational mode. For a generic example, the I/O setting could be:Activate = TRUES_In = FALSE or TRUEReady = TRUEError = FALSES_Out = FALSE
1000_0000_0000_0010bin
8002hex
The activated FB detects a safety demand, e.g., S_In = FALSE. The safetyoutput is disabled. This is an operational state where the S_Out safetyoutput = FALSE. For a generic example, the I/O setting could be:Activate = TRUES_In = FALSEReady = TRUEError = FALSES_Out = FALSE
1000_0000_0000_0011bin
8003hex
The safety output of the activated FB has been disabled by a safetydemand. The safety demand is now withdrawn, but the safety outputremains FALSE until a reset condition is detected. This is an operationalstate where the S_Out safety output = FALSE. For a generic example, theI/O setting could be:Activate = TRUES_In = FALSE => TRUE (continuing with static TRUE)Ready = TRUEError = FALSES_Out = FALSE
Note: If there are more operational states where safety output = TRUE, the next availableDiagCode number will be assigned for subsequent states.
4.6.4.2 SF_Equivalent
Standards RequirementsEN 954-1:1996 6.2 General safety principles, Idle current
6.2 Error detection for category 3 and 4
This function block converts two equivalent BOOL inputs (both NO or NC) to one BOOL output,including discrepancy time monitoring. This FB should not be used stand-alone since it has norestart interlock. It is required to connect the output to other safety FBs.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US206
Table 21: FB name: SF_EquivalentName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_ChannelA BOOL FALSE Variable.Input A for logical connection.FALSE: Contact A openTRUE: Contact A closed.
S_ChannelB BOOL FALSE Variable.Input B for logical connection.FALSE: Contact B openTRUE: Contact B closed.
DiscrepancyTime TIME T#0ms Constant.Maximum monitoring time for discrepancy status ofboth inputs.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_EquivalentOut BOOL FALSE Safety related outputFALSE: Minimum of one input signal = "FALSE" orstatus change outside of monitoring time.TRUE: Both input signals "active" and status changewithin monitoring time.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 207
Typical timingdiagrams
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US208
Fig. 93: Typical timing diagram for SF_Equivalent
The function block monitors the discrepancy time between channel A and B, when switching toTRUE and also when switching to FALSE.
S_EquivalentOut is set to FALSE. Error is set to TRUE. DiagCode indicates the error states.There is no reset defined as an input is coupled with the reset of an error. If an error occurs inthe inputs, a new set of inputs with correct S_EquivalentOut must be able to reset the error flag.(Example: if a switch is faulty and replaced, using the switch again results in a correct output.)
Error behavior
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 209
Table 22: FB-specific error codesDiagCode State name State description and output settingC001 Error 1 Discrepancy time elapsed in state 8004.
Ready = TRUES_EquivalentOut = FALSEError = TRUE
C002 Error 2 Discrepancy time elapsed in state 8014.Ready = TRUES_EquivalentOut = FALSEError = TRUE
C003 Error 3 Discrepancy time elapsed in state 8005.Ready = TRUES_EquivalentOut = FALSEError = TRUE
Table 23: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_EquivalentOut = FALSEError = FALSE
8001 Init An activation has been detected by the FB and the FB is nowactivated.Ready = TRUES_EquivalentOut = FALSEError = FALSE
8000 SafetyOutput Ena-bled
The inputs switched to TRUE in equivalent mode.Ready = TRUES_EquivalentOut = TRUEError = FALSE
8004 Wait forChannel B
Channel A has been switched to TRUE - waiting for channel B;discrepancy timer started.Ready = TRUES_EquivalentOut = FALSEError = FALSE
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US210
DiagCode State name State description and output setting8014 Wait for
Channel AChannel B has been switched to TRUE - waiting for channel A;discrepancy timer started.Ready = TRUES_EquivalentOut = FALSEError = FALSE
8005 From ActiveWait
One channel has been switched to FALSE; waiting for the secondchannel to be switched to FALSE, discrepancy timer started.Ready = TRUES_EquivalentOut = FALSEError = FALSE
4.6.4.3 SF_Antivalent
Standards RequirementsEN 954-1:1996 6.2 General safety principles, Idle current
6.2 Error detection for category 3 und 4
This function block converts two antivalent BOOL inputs (NO/NC pair) to one BOOL output withdiscrepancy time monitoring. This FB should not be used stand-alone since it has no restartinterlock. It is required to connect the output to other safety FBs.
Table 24: FB name: SF_AntivalentName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_ChannelNC BOOL FALSE Variable. NC stands for normally closed.Input for NC connection.FALSE: NC contact open.TRUE: NC contact closed.
S_ChannelNO BOOL TRUE Variable. NO stands for normally open.Input for NO connection.FALSE: NO contact openTRUE: NO contact closed
DiscrepancyTime TIME T#0ms Constant.Maximum monitoring time for discrepancy status ofboth inputs.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 211
Name Data type Initial value Description, parameter valuesVAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_AntivalentOut BOOL FALSE Safety related outputFALSE: Minimum of one input signal "not active" orstatus change outside of monitoring time.TRUE: Both inputs signals "active" and statuschange within monitoring time.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Notes: "Antivalent" means that during normal operation, the two inputs are in opposite states atthe same time. This is sometimes called "complementary" or "non-equivalent".
Typical timingdiagrams
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US212
Fig. 94: Typical timing diagram for SF_Antivalent
The function block monitors the discrepancy time between channel NO and channel NC.
The output S_AntivalentOut is set to FALSE. Error is set to TRUE. DiagCode indicates the errorstates.There is no reset defined as an input is coupled with the reset of an error. If an error occursin the inputs, one new set of inputs with the correct value must be able to reset the error flag.(Example: if a switch is faulty and replaced, using the switch again results in a correct output.)
Error behavior
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 213
Table 25: FB-specific error codesDiagCode State name State description and output settingC001 Error 1 Discrepancy time elapsed in state 8004.
Ready = TRUES_AntivalentOut = FALSEError = TRUE
C002 Error 2 Discrepancy time elapsed in state 8014.Ready = TRUES_AntivalentOut = FALSEError = TRUE
C003 Error 3 Discrepancy time elapsed in state 8005.Ready = TRUES_AntivalentOut = FALSEError = TRUE
Table 26: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_AntivalentOut = FALSEError = FALSE
8001 Init An activation has been detected by the FB and the FB is nowactivated.Ready = TRUES_AntivalentOut = FALSEError = FALSE
8000 SafetyOutput Ena-bled
The inputs switched to the Active state in antivalent mode.Ready = TRUES_AntivalentOut = TRUEError = FALSE
8004 Wait for NO ChannelNC has been switched to TRUE - waiting for ChannelNOto be switched to FALSE; discrepancy timer started.Ready = TRUES_AntivalentOut = FALSEError = FALSE
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US214
DiagCode State name State description and output setting8014 Wait for NC ChannelNO has been switched to FALSE - waiting for ChannelNC
to be switched to TRUE; discrepancy timer started.Ready = TRUES_AntivalentOut = FALSEError = FALSE
8005 From ActiveWait
One channel has been switched to inactive; waiting for thesecond channel to be switched to inactive too.Ready = TRUES_AntivalentOut = FALSEError = FALSE
4.6.4.4 SF_ModeSelector
Standards RequirementsMRL 98/37/EC,Annex I
1.2.3. Starting... It must be possible to start machinery only by voluntary actuation of a control provided forthe purpose ...The same requirement applies: ...- when effecting a significant change in the operating conditions ...1.2.5 ... mode selector which can be locked in each position. Each position of the selectormust correspond to a single operating or control mode ...
ENISO 12100-2:2003
4.11.10 Selection of Control and Operating Modes... shall be fitted with a mode selector which can be locked in each position. Each position ofthe selector shall be clearly identifiable and shall exclusively enable one control or operatingmode to be selected...
IEC 60204-1,Ed. 5.0:2003
9.2.3 Operating Modes... When a hazardous condition can result from a mode selection, unauthorized and/or inad-vertent selection shall be prevented by suitable means (e.g. key operated switch, accesscode). Mode selection by itself shall not initiate machine operation. A separate action by theoperator shall be required. ... Indication of the selected operating mode shall be provided ...
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 215
This function block selects the system operation mode, such as manual, automatic, semi-automatic, etc.
Table 27: FB name: SF_ModeSelectorName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_Mode0 BOOL FALSE Variable or constant.Input 0 from mode selector switchFALSE: Mode 0 is not requested by operator.TRUE: Mode 0 is requested by operator.
S_Mode1 BOOL FALSE Variable or constant.Input 1 from mode selector switchFALSE: Mode 1 is not requested by operator.TRUE: Mode 1 is requested by operator.
S_Mode2 BOOL FALSE Variable or constant.Input 2 from mode selector switchFALSE: Mode 2 is not requested by operator.TRUE: Mode 2 is requested by operator.
S_Mode3 BOOL FALSE Variable or constant.Input 3 from mode selector switchFALSE: Mode 3 is not requested by operator.TRUE: Mode 3 is requested by operator.
S_Mode4 BOOL FALSE Variable or constant.Input 4 from mode selector switchFALSE: Mode 4 is not requested by operator.TRUE: Mode 4 is requested by operator.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US216
Name Data type Initial value Description, parameter valuesS_Mode5 BOOL FALSE Variable or constant.
Input 5 from mode selector switchFALSE: Mode 5 is not requested by operator.TRUE: Mode 5 is requested by operator.
S_Mode6 BOOL FALSE Variable or constant.Input 6 from mode selector switchFALSE: Mode 6 is not requested by operator.TRUE: Mode 6 is requested by operator.
S_Mode7 BOOL FALSE Variable or constant.Input 7 from mode selector switchFALSE: Mode 7 is not requested by operator.TRUE: Mode 7 is requested by operator.
S_Unlock BOOL FALSE Variable or constant.Locks the selected modeFALSE: The actual S_ModeXSel output is lockedtherefore a change of any S_ModeX input does notlead to a change in the S_ModeXSel output even inthe event of a rising edge of SetMode.TRUE: The selected S_ModeXSel is not locked; amode selection change is possible.
S_SetMode BOOL FALSE Variable (or constant FALSE, if AutoSetMode =TRUE)Sets the selected modeOperator acknowledges the setting of a mode. Anychange to new S_ModeX = TRUE leads to S_Any-ModeSel/S_ModeXSel = FALSE, only a rising Set-Mode trigger then leads to new S_ModeXSel =TRUE.
AutoSetMode BOOL FALSE Constant.Parameterizes the acknowledgment modeFALSE: A change in mode must be acknowledged bythe operator via SetMode.TRUE: A valid change of the S_ModeX input toanother S_ModeX automatically leads to a change inS_ModeXSel without operator acknowledgment viaSetMode (as long as this is not locked by S_Unlock).
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
ModeMonitorTime TIME T#0 Constant.Maximum permissible time for changing the selectioninput.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_Mode0Sel BOOL FALSE Indicates that mode 0 is selected and acknowledged.FALSE: Mode 0 is not selected or not active.TRUE: Mode 0 is selected and active.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 217
Name Data type Initial value Description, parameter valuesS_Mode1Sel BOOL FALSE Indicates that mode 1 is selected and acknowledged.
FALSE: Mode 1 is not selected or not active.TRUE: Mode 1 is selected and active.
S_Mode2Sel BOOL FALSE Indicates that mode 2 is selected and acknowledged.FALSE: Mode 2 is not selected or not active.TRUE: Mode 2 is selected and active.
S_Mode3Sel BOOL FALSE Indicates that mode 3 is selected and acknowledged.FALSE: Mode 3 is not selected or not active.TRUE: Mode 3 is selected and active.
S_Mode4Sel BOOL FALSE Indicates that mode 4 is selected and acknowledged.FALSE: Mode 4 is not selected or not active.TRUE: Mode 4 is selected and active.
S_Mode5Sel BOOL FALSE Indicates that mode 5 is selected and acknowledged.FALSE: Mode 5 is not selected or not active.TRUE: Mode 5 is selected and active.
S_Mode6Sel BOOL FALSE Indicates that mode 6 is selected and acknowledged.FALSE: Mode 6 is not selected or not active.TRUE: Mode 6 is selected and active.
S_Mode7Sel BOOL FALSE Indicates that mode 7 is selected and acknowledged.FALSE: Mode 7 is not selected or not active.TRUE: Mode 7 is selected and active.
S_AnyModeSel BOOL FALSE Indicates that any of the 8 modes is selected andacknowledged.FALSE: No S_ModeX is selected.TRUE: One of the 8 S_ModeX is selected and active.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Note: The X in parameter names "S_ModeX" or "S_ModeXSel" is a placeholder for digits 0 to 7.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US218
Fig. 95: Timing diagram for SF_ModeSelector, valid change in mode input with acknowledgment
Fig. 96: Timing diagram for SF_ModeSelector, error condition 2 at mode inputs
Fig. 97: Timing diagram for SF_ModeSelector, reset of error condition
Typical timingdiagrams
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 219
The FB detects whether none of the mode inputs is selected. This invalid condition is detectedafter ModeMonitorTime has elapsed:● Which restarts with each falling trigger of an S_ModeX switched mode input.● Which is then in the ModeChanged state following activation of the FB.In contrast, the FB directly detects whether more than one S_ModeX mode input is selected atthe same time.A static reset condition is detected when the FB is either in error state C001 or C002.
In the event of an error, the S_ModeXSel and S_AnyModeSel outputs are set to safe state =FALSE. The DiagCode output indicates the relevant error code and the error output is set toTRUE.An error must be acknowledged with the rising trigger of the Reset BOOL input. The FBchanges from an error state to the ModeChanged state.
Table 28: FB-specific error codesDiagCode State name State description and output settingC001 Error
Short-circuitThe FB detected that two or more S_ModeX are TRUE, e.g.,short-circuit of cables.Ready = TRUEError = TRUES_AnyModeSel = FALSEAll S_ModeXSel = FALSE
C002 ErrorOpen-circuit
The FB detected that all S_ModeX are FALSE: The period fol-lowing a falling S_ModeX trigger exceeds ModeMonitorTime, e.g.,open-circuit of cables.Ready = TRUEError = TRUES_AnyModeSel = FALSEAll S_ModeXSel = FALSE
C003 Reset Error1
Static reset signal detected in state C001.Ready = TRUEError = TRUES_AnyModeSel = FALSEAll S_ModeXSel = FALSE
C004 Reset Error2
Static reset signal detected in state C002.Ready = TRUEError = TRUES_AnyModeSel = FALSEAll S_ModeXSel = FALSE
Error behavior
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US220
Table 29: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSEError = FALSES_AnyModeSel = FALSEAll S_ModeXSel = FALSE
8005 Mode-Changed
State after activation or when S_ModeX has changed (unlesslocked) or after reset of an error state.Ready = TRUEError = FALSES_AnyModeSel = FALSEAll S_ModeXSel = FALSE
8000 ModeSe-lected
Valid mode selection, but not yet locked.Ready = TRUEError = FALSES_AnyModeSel = TRUES_ModeXSel = Selected X is TRUE, others are FALSE.
8004 ModeLocked Valid mode selection is locked.Ready = TRUEError = FALSES_AnyModeSel = TRUES_ModeXSel = Selected X is TRUE, others are FALSE.
4.6.4.5 SF_EmergencyStop
Standards RequirementsEN 418:1992 3. Definitions
4.1.12 ... Resetting the control device shall not by itself cause a restart command.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4 Restart following power failure/spontaneous restart
IEC 60204-1,Ed. 5.0:2003
9.2.2. Stop Functions
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 221
This function block is a safety-related function block for monitoring an emergency stop button.This FB can be used for emergency stop switch off functionality (stop category 0), or - withadditional peripheral support - as emergency stop (stop category 1 or 2).
Table 30: FB name: SF_EmergencyStopName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_EStopIn BOOL FALSE Safety demand input.Variable.FALSE: Demand for safety-related response (e.g.,emergency stop button is engaged).TRUE: No demand for safety-related response (e.g.,emergency stop button not engaged).
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AutoReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_EStopOut BOOL FALSE Output for the safety-related response.FALSE: Safety output disabled.Demand for safety-related response (e.g., emer-gency stop button engaged, reset required or internalerrors active)TRUE: Safety output enabled.No demand for safety-related response (e.g., emer-gency stop button not engaged, no internal errorsactive).
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Note: The following requirements as defined in EN 418:1992 have to be fulfilled by the user:● 4.1.4 After activation of the actuator, the emergency stop equipment shall operate in such a
way that the hazard is averted or reduced automatically in the best possible manner.● 4.1.7 The emergency stop command shall override all other commands.● 4.1.12 Resetting the control device shall only be possible as the result of a manual action
on the control device itself ... It shall not be possible to restart the machine until all controldevices which have been actuated are reset manually, individually and intentionally.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US222
Fig. 98: Timing diagram for SF_EmergencyStop: S_StartReset = FALSE; S_AutoReset =FALSE; start, reset, normal operation, safety demand, restart
Fig. 99: Timing diagram for SF_EmergencyStop: S_StartReset = TRUE, S_AutoReset = FALSE;start, normal operation, safety demand, restart
Typical timingdiagrams
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 223
Fig. 100: Timing diagram for SF_EmergencyStop: S_StartReset = FALSE, S_AutoReset =TRUE, start, normal operation, safety demand, restart
The function block detects a static TRUE signal at Reset input.
S_EStopOut is set to FALSE. In case of a static TRUE signal at the Reset input, the DiagCodeoutput indicates the relevant error code and the Error output is set to TRUE.To leave the error states, the Reset must be set to FALSE.
Table 31: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Reset is TRUE while waiting for S_EStopIn = TRUE.Ready = TRUES_EStopOut = FALSEError = TRUE
C002 Reset Error2
Reset is TRUE while waiting for S_EStopIn = TRUE.Ready = TRUES_EStopOut = FALSEError = TRUE
Error behavior
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US224
Table 32: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_EStopOut = FALSEError = FALSE
8001 Init Activation is TRUE. The function block was enabled. Check ifS_StartReset is required.Ready = TRUES_EStopOut = FALSEError = FALSE
8002 Wait forS_EstopIn 1
Activation is TRUE. Check if Reset is FALSE and wait forS_EStopIn = TRUE.Ready = TRUES_EStopOut = FALSEError = FALSE
8003 Wait forReset 1
Activation is TRUE. S_EStopIn = TRUE. Wait for rising trigger ofReset.Ready = TRUES_EStopOut = FALSEError = FALSE
8004 Wait forS_EstopIn 2
Activation is TRUE. Safety demand detected. Check if Reset isFALSE and wait for S_EStopIn = TRUE.Ready = TRUES_EStopOut = FALSEError = FALSE
8005 Wait forReset 2
Activation is TRUE. S_EStopIn = TRUE. Check for S_AutoResetor wait for rising trigger of Reset.Ready = TRUES_EStopOut = FALSEError = FALSE
8000 SafetyOutput Ena-bled
Activation is TRUE. S_EStopIn = TRUE. Functional mode withS_EStopOut = TRUE.Ready = TRUES_EStopOut = TRUEError = FALSE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 225
4.6.4.6 SF_ESPE
Standards RequirementsEN IEC61496-1:2004
A.5.1 Start Interlock: The start interlock shall prevent the OSSD(s) going to the ON-statewhen the electrical supply is switched on, or is interrupted and restored.A.5.2: A failure of the start interlock which causes it to go to, or remain in a permanentON-state shall cause the ESPE to go to, or to remain in the lock-out condition.A.6.1 Restart interlock: ... The interlock condition shall continue until the restart interlockis manually reset. However, it shall not be possible to reset the restart interlock whilst thesensing device is actuated.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
This function block is a safety-related function block for monitoring electro-sensitive protectiveequipment (ESPE). The function is identical to SF_EmergencyStop. The S_ESPE_Out outputsignal is set to FALSE as soon as the S_ESPE_In input is set to FALSE. The S_ESPE_Outoutput signal is set to TRUE only if the S_ESPE_In input is set to TRUE and a reset occurs. Theenable reset depends on the defined S_StartReset, S_AutoReset, and Reset inputs.If S_AutoReset = TRUE, acknowledgment is automatic.If S_AutoReset = FALSE, a rising trigger at the Reset input must be used to acknowledge theenable.If S_StartReset = TRUE, acknowledgment is automatic if the PES is started for the first time.If S_StartReset = FALSE, a rising trigger at the Reset input must be used to acknowledge theenable.The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured, that nohazardous situation can occur when the PES is started.The ESPE must be selected in respect of the product standards EN IEC 61496-1, -2 and -3 andthe required categories according EN 954-1.
Table 33: FB name: SF_ESPEName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US226
Name Data type Initial value Description, parameter valuesS_ESPE_In BOOL FALSE Safety demand input.
Variable.FALSE: ESPE actuated, demand for safety-relatedresponse.TRUE: ESPE not actuated, no demand for safety-related response.Safety control system must be able to detect a veryshort interruption of the sensor (which is specified in61496-1: minimum 80 ms), when the ESPE is usedin applications as a trip device
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AutoReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_ESPE_Out BOOL FALSE Output for the safety-related response.FALSE: Safety output disabled.Demand for safety-related response (e.g., resetrequired or internal errors active).TRUE: Safety output enabled. No demand for safety-related response.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Fig. 101: Timing diagram for SF_ESPE: S_StartReset = FALSE; S_AutoReset = FALSE; start,reset, normal operation, safety demand, restart
Typical timingdiagrams
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 227
Fig. 102: Timing diagram for SF_ESPE: S_StartReset = TRUE, S_AutoReset = FALSE; start,normal operation, safety demand, restart
Fig. 103: Timing diagram for SF_ESPE: S_StartReset = FALSE, S_AutoReset = TRUE, start,normal operation, safety demand, restart
The function block detects a static TRUE signal at Reset input.
S_ESPE_Out is set to FALSE. In case of a static TRUE signal at the Reset input, the DiagCodeoutput indicates the relevant error code and the Error output is set to TRUE.To leave the error states, the Reset must be set to FALSE.
Error behavior
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US228
Table 34: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Reset is TRUE while waiting for S_ESPE_In = TRUE.Ready = TRUES_ESPE_Out = FALSEError = TRUE
C002 Reset Error2
Reset is TRUE while waiting for S_ESPE_In = TRUE.Ready = TRUES_ESPE_Out = FALSEError = TRUE
Table 35: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_ESPE_Out = FALSEError = FALSE
8001 Init Activation is TRUE. The function block was enabled. Check ifS_StartReset is required.Ready = TRUES_ESPE_Out = FALSEError = FALSE
8002 Wait forS_ESPE_In1
Activation is TRUE. Check if Reset is FALSE and wait forS_ESPE_In = TRUE.Ready = TRUES_ESPE_Out = FALSEError = FALSE
8003 Wait forReset 1
Activation is TRUE. S_ESPE_In = TRUE. Wait for rising trigger ofReset.Ready = TRUES_ESPE_Out = FALSEError = FALSE
8004 Wait forS_ESPE_In2
Activation is TRUE. Safety demand detected. Check if Reset isFALSE and wait for S_ESPE_In = TRUE.Ready = TRUES_ESPE_Out = FALSEError = FALSE
Function block-specific errorand statuscodes
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 229
DiagCode State name State description and output setting8005 Wait for
Reset 2Activation is TRUE. S_ESPE_In = TRUE. Check for S_AutoResetor wait for rising trigger of Reset.Ready = TRUES_ESPE_Out = FALSEError = FALSE
8000 SafetyOutput Ena-bled
Activation is TRUE. S_ESPE_In = TRUE. Functional mode withS_ESPE_Out = TRUE.Ready = TRUES_ESPE_Out = TRUEError = FALSE
4.6.4.7 SF_GuardMonitoring
Standards RequirementsEN 953:1997 3.3.3 Control Guard
● The hazardous machine functions "covered" by the guard cannot operate until the guardis closed;
● Closing the guard initiates operation of the hazardous machine function(s).
EN 1088:1995 3.2 Interlocking Guard● The hazardous machine functions "covered" by the guard cannot operate until the guard
is closed;● If the guard is opened while the hazardous machine functions are operating, a stop
instruction is given;● When the guard is closed, the hazardous machine functions "covered" by the guard can
operate, but the closure of the guard does not by itself initiate their operation.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4 Restart following power failure/spontaneous restart
This function block monitors the relevant safety guard. There are two independent input param-eters for two switches at the safety guard coupled with a time difference (MonitoringTime) forclosing the guard.The function block requires two inputs indicating the guard position for safety guards with twoswitches (according to EN 1088), a DiscrepancyTime input and Reset input. If the safety guardonly has one switch, the S_GuardSwitch1 and S_GuardSwitch2 inputs can be bridged. Themonitoring time is the maximum time required for both switches to respond when closing thesafety guard. The Reset, S_StartReset, and S_AutoReset inputs determine how the functionblock is reset after the safety guard has been opened.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US230
When opening the safety guard, both S_GuardSwitch1 and S_GuardSwitch2 inputs shouldswitch to FALSE. The S_GuardMonitoring output switches to FALSE as soon as one of theswitches is set to FALSE. When closing the safety guard, both S_GuardSwitch1 and S_Guard-Switch2 inputs should switch to TRUE.This FB monitors the symmetry of the switching behavior of both switches. The S_GuardMoni-toring output remains FALSE if only one of the contacts has completed an open/close process.The behavior of the S_GuardMonitoring output depends on the time difference between theswitching inputs. The discrepancy time is monitored as soon as the value of both S_Guard-Switch1/S_GuardSwitch2 inputs differs. If the DiscrepancyTime has elapsed, but the inputs stilldiffer, the S_GuardMonitoring output remains FALSE. If the second corresponding S_Guard-Switch1/S_GuardSwitch2 input switches to TRUE within the value specified for the Discrepan-cyTime input, the S_GuardMonitoring output is set to TRUE following acknowledgment.The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured that nohazardous situation can occur when the PES is started.
Table 36: FB name: SF_GuardMonitoringName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_GuardSwitch1 BOOL FALSE Variable.Guard switch 1 input.FALSE: Guard is open.TRUE: Guard is closed.
S_GuardSwitch2 BOOL FALSE Variable.Guard switch 2 input.FALSE: Guard is open.TRUE: Guard is closed.
DiscrepancyTime TIME T#0ms Constant.Configures the monitored synchronous time betweenS_GuardSwitch1 and S_GuardSwitch2.
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203- only constant
S_AutoReset BOOL FALSE Ä Table 16 “General input parameters” on page 203- only constant
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_GuardMonitoring BOOL FALSE Output indicating the status of the guard.FALSE: Guard is not active.TRUE: both S_GuardSwitches are TRUE, no errorand acknowledgment. Guard is active.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 231
Fig. 104: Timing diagrams for SF_GuardMonitoring
External signals: Mechanical setup combines that of an opening and closing switch accordingto EN 954 (safety guard with two switches). Discrepancy time monitoring for time lag betweenboth mechanical switches reaction, according to EN 954 (to be considered as "application error"detection, i.e., generated by the application).
Typical timingdiagrams
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US232
An error is detected if the time lag between the first S_GuardSwitch1/S_GuardSwitch2 input andthe second is greater than the value for the DiscrepancyTime input. The Error output is set toTRUE.The function block detects a static TRUE signal at the Reset input.
The S_GuardMonitoring output is set to FALSE. If the two S_GuardSwitch1 and S_Guard-switch2 inputs are bridged, no error is detected. To leave the reset error state, the Reset inputmust be set to FALSE. To leave the discrepancy time errors, the inputs S_GuardSwitch1 and 2must both be set to FALSE.
Table 37: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error Static reset detected in state 8003.
Ready = TRUES_GuardMonitoring = FALSEError = TRUE
C011 Discrepancy-time Error 1
DiscrepancyTime elapsed in state 8004.Ready = TRUES_GuardMonitoring = FALSEError = TRUE
C012 Discrepancy-time Error 2
DiscrepancyTime elapsed in state 8014.Ready = TRUES_GuardMonitoring = FALSEError = TRUE
Table 38: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_GuardMonitoring = FALSEError = FALSE
8000 Normal Safety guard closed and safe state acknowledged.Ready = TRUES_GuardMonitoring = TRUEError = FALSE
8001 Init Function block has been activated.Ready = TRUES_GuardMonitoring = FALSEError = FALSE
8002 Open GuardRequest
Complete switching sequence required.Ready = TRUES_GuardMonitoring = FALSEError = FALSE
Error and resetbehavior
Function block-specific errorand statuscodes
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 233
DiagCode State name State description and output setting8003 Wait for
ResetWaiting for rising trigger at Reset.Ready = TRUES_GuardMonitoring = FALSEError = FALSE
8012 GuardOpened
Guard completely opened.Ready = TRUES_GuardMonitoring = FALSEError = FALSE
8004 Wait forGuard-Switch2
S_GuardSwitch1 has been switched to TRUE - waiting forS_GuardSwitch2; discrepancy timer started.Ready = TRUES_GuardMonitoring = FALSEError = FALSE
8014 Wait forGuard-Switch1
S_GuardSwitch2 has been switched to TRUE - waiting forS_GuardSwitch1; discrepancy timer started.Ready = TRUES_GuardMonitoring = FALSEError = FALSE
8005 GuardClosed
Guard closed. Waiting for Reset, if S_AutoReset = FALSE.Ready = TRUES_GuardMonitoring = FALSEError = FALSE
4.6.4.8 SF_TwoHandControlTypeII
Standards RequirementsEN 574:1996 Clause 4, Table 1, Type II.
5.1 Use of both hands / simultaneous actuation.5.2 Relationship between output signal and input signals.5.3 Completion of the output signal.5.6 Reinitiation of the output signal.6.3 Use of DIN EN 954-1 category 3 (can only be realized by NO and NC switches togetherwith antivalent processing)
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US234
This function block provides the two-hand control functionality (refer to EN 574, Section 4 TypeII).This function block provides the two-hand control functionality according to EN 574, Section4 Type II. If S_Button1 and S_Button2 are set to TRUE in a correct sequence, then the S_Two-HandOut output will also be set to TRUE. The FB also controls the release of both buttonsbefore setting the output S_TwoHandOut again to TRUE.
Table 39: FB name: SF_TwoHandControlTypeIIName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_Button1 BOOL FALSE Variable.Input of button 1 (for category 3 or 4: two antivalentcontacts)FALSE: Button 1 released.TRUE: Button 1 actuated.
S_Button2 BOOL FALSE Variable.Input of button 2 (for category 3 or 4: two antivalentcontacts)FALSE: Button 2 released.TRUE: Button 2 actuated.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_TwoHandOut BOOL FALSE Safety related output signal.FALSE: No correct two hand operation.TRUE: S_Button1 and S_Button2 inputs are TRUEand no error occurred. Correct two hand operation.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Notes: No Reset input or Error output is required, because no test can be performed on bothswitches.
Fig. 105: Timing diagram for SF_TwoHandControlTypeII
Typical timingdiagram
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 235
After activation of the FB, any button set to TRUE is detected as an invalid input setting leadingto an error.
In the event of an error, the S_TwoHandOut output is set to FALSE and remains in this safestate.The error state is exited when both buttons are released (set to FALSE).
Table 40: FB-specific error codesDiagCode State name State description and output settingC001 Error B1 S_Button1 was TRUE on FB activation.
Ready = TRUEError = TRUES_TwoHandOut = FALSE
C002 Error B2 S_Button2 was TRUE on FB activation.Ready = TRUEError = TRUES_TwoHandOut = FALSE
C003 Error B1&B2 The signals at S_Button1 and S_Button2 were TRUE on FB acti-vation.Ready = TRUEError = TRUES_TwoHandOut = FALSE
Table 41: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSEError = FALSES_TwoHandOut = FALSE
8000 ButtonsActuated
Both buttons actuated correctly. The safety related output is ena-bled.Ready = TRUEError = FALSES_TwoHandOut = TRUE
8001 Init Function block is active, but in the Init state.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8004 ButtonsReleased
No button is actuated.Ready = TRUEError = FALSES_TwoHandOut = FALSE
Error behavior
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US236
DiagCode State name State description and output setting8005 Button 1
ActuatedOnly Button 1 is actuated.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8006 Button 2Actuated
Only Button 2 is actuated.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8007 Button 2Released
The safety related output was enabled and is disabled again.FALSE at both S_Button1 and S_Button2 was not achieved afterdisabling the safety related output.In this state, S_Button1 is TRUE and S_Button2 is FALSE afterdisabling the safety related output.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8008 Button 1Released
The safety related output was enabled and is disabled again.FALSE at both S_Button1 and S_Button2 was not achieved afterdisabling the safety related output.In this state, S_Button1 is FALSE and S_Button2 is TRUE afterdisabling the safety related output.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8009 Locked Off The safety related output was enabled and is disabled again.FALSE at both S_Button1 and S_Button2 was not achieved afterdisabling the safety related output.In this state, S_Button1 is TRUE and S_Button2 is TRUE afterdisabling the safety related output.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8019 Locked On Incorrect actuation of the buttons. Waiting for release of bothbuttons.Ready = TRUEError = FALSES_TwoHandOut = FALSE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 237
4.6.4.9 SF_TwoHandControlTypeIII
Standards RequirementsEN 574:1996 Clause 4, Table 1, Type III A; B; C.
5.1 Use of both hands / simultaneous actuation.5.2 Relationship between output signal and input signals.5.3 Completion of the output signal.5.6 Reinitiation of the output signal.5.7 Synchronous actuation.6.2 Use of DIN EN 954-1 category 1.6.3 Use of DIN EN 954-1 category 3. (Can only be realized by NO and NC switches togetherwith antivalent processing)6.4 Use of DIN EN 954-1 category 4. (Can only be realized by NO and NC switches togetherwith antivalent processing)
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
This function block provides the two-hand control functionality (refer to EN 574, Section 4 TypeIII. Fixed specified time difference is 500 ms).This function block provides the two-hand control functionality according to EN 574, Section 4Type III. If S_Button1 and S_Button2 are set to TRUE within 500 ms and in correct sequence,then the S_TwoHandOut output is also set to TRUE. The FB also controls the release of bothbuttons before setting the output S_TwoHandOut again to TRUE.
Table 42: FB name: SF_TwoHandControlTypeIIIName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_Button1 BOOL FALSE Variable.Input of button 1 (for category 3 or 4: two antivalentcontacts)FALSE: Button 1 released.TRUE: Button 1 actuated.
S_Button2 BOOL FALSE Variable.Input of button 2 (for category 3 or 4: two antivalentcontacts)FALSE: Button 2 released.TRUE: Button 2 actuated.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US238
Name Data type Initial value Description, parameter valuesS_TwoHandOut BOOL FALSE Safety related output signal.
FALSE: No correct two hand operation.TRUE: S_Button1 and S_Button2 inputs changedfrom FALSE to TRUE within 500 ms and no erroroccurred. The two hand operation has been per-formed correctly.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Notes: No Reset input or Error output is required, because no test can be performed on bothswitches.
Fig. 106: Timing diagram for SF_TwoHandControlTypeIII
After activation of the FB, any button set to TRUE is detected as an invalid input setting leadingto an error. The FB detects when the divergence of the input signals exceeds 500 ms.
In the event of an error, the S_TwoHandOut output is set to FALSE and remains in this safestate.The error state is exited when both buttons are released (set to FALSE).
Typical timingdiagram
Error behavior
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 239
Table 43: FB-specific error codesDiagCode State name State description and output settingC001 Error 1 B1 S_Button1 was TRUE on FB activation.
Ready = TRUEError = TRUES_TwoHandOut = FALSE
C002 Error 1 B2 S_Button2 was TRUE on FB activation.Ready = TRUEError = TRUES_TwoHandOut = FALSE
C003 Error 1B1&B2
The signals at S_Button1 and S_Button2 were TRUE on FB acti-vation.Ready = TRUEError = TRUES_TwoHandOut = FALSE
C004 Error 2 B1 S_Button1 was FALSE and S_Button 2 was TRUE after 500 msin state 8005.Ready = TRUEError = TRUES_TwoHandOut = FALSE
C005 Error 2 B2 S_Button1 was TRUE and S_Button 2 was FALSE after 500 msin state 8005.Ready = TRUEError = TRUES_TwoHandOut = FALSE
C006 Error 2B1&B2
S_Button1 was TRUE and S_Button 2 was TRUE after 500 ms instate 8005 or 8006. This state is only possible when the states ofthe inputs (S_Button1 and S_Button2) change from divergent toconvergent (both TRUE) simultaneously when the timer elapses(500 ms) at the same cycle.Ready = TRUEError = TRUES_TwoHandOut = FALSE
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US240
Table 44: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSEError = FALSES_TwoHandOut = FALSE
8000 ButtonsActuated
Both buttons actuated correctly. The safety related output is ena-bled.Ready = TRUEError = FALSES_TwoHandOut = TRUE
8001 Init Function block is active, but in the Init state.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8004 ButtonsReleased
No Button is actuated.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8005 Button 1Actuated
Only Button 1 is actuated. Start monitoring timer.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8006 Button 2Actuated
Only Button 2 is actuated. Start monitoring timer.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8007 Button 2Released
The safety related output was enabled and is disabled again.FALSE at both S_Button1 and S_Button2 was not achieved afterdisabling the safety related output.In this state, S_Button1 is TRUE and S_Button2 is FALSE afterdisabling the safety related output.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8008 Button 1Released
The safety related output was enabled and is disabled again.FALSE at both S_Button1 and S_Button2 was not achieved afterdisabling the safety related output.In this state, S_Button1 is FALSE and S_Button2 is TRUE afterdisabling the safety related output.Ready = TRUEError = FALSES_TwoHandOut = FALSE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 241
DiagCode State name State description and output setting8009 Locked Off The safety related output was enabled and is disabled again.
FALSE at both S_Button1 and S_Button2 was not achieved afterdisabling the safety related output.In this state, S_Button1 is TRUE and S_Button2 is TRUE afterdisabling the safety related output.Ready = TRUEError = FALSES_TwoHandOut = FALSE
8019 Locked On Incorrect actuation of the buttons. Waiting for release of bothbuttons.Ready = TRUEError = FALSES_TwoHandOut = FALSE
4.6.4.10 SF_GuardLocking
Standards RequirementsEN 953:1997 3.3.3 Control Guard
● The hazardous machine functions "covered" by the guard cannot operate until the guardis closed;
● Closing the guard initiates operation of the hazardous machine function(s).
EN 1088:1995 3.3 Definition: Interlocking Guard With Guard Locking● The hazardous machine functions "covered" by the guard cannot operate until the guard
is closed and locked;● The guard remains closed and locked until the risk of injury from the hazardous machine
functions has passed;● When the guard is closed and locked, the hazardous machine functions "covered" by the
guard can operate, but the closure and locking of the guard do not by themselves initiatetheir operation.
4.2.2 - Interlocking Device With Guard LockingConditional unlocking ("four-state interlocking"), refer to Fig. 3 b2 in the standard)
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
This FB controls an entrance to a hazardous area via an interlocking guard with guard locking("four state interlocking").
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US242
The function controls the guard lock and monitors the position of the guard and the lock. Thisfunction block can be used with a mechanical locked switch.The operator requests to get access to the hazardous area. The guard can only be unlockedwhen the hazardous area is in a safe state. The guard can be locked if the guard is closed. Themachine can be started when the guard is closed and the guard is locked. An open guard orunlocked guard will be detected in the event of a safety-critical situation.The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured that nohazardous situation can occur when the PES is started.
Table 45: FB name: SF_GuardLockingName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_GuardMonitoring BOOL FALSE Variable.Monitors the guard interlocking.FALSE: Guard open.TRUE: Guard closed.
S_SafetyActive BOOL FALSE Variable.Status of the hazardous area (EDM), e.g., based onspeed monitoring or safe time off delay.FALSE: Machine in "non-safe" state.TRUE: Machine in safe state.
S_GuardLock BOOL FALSE Variable.Status of the mechanical guard locking.FALSE: Guard is not locked.TRUE: Guard is locked.
UnlockRequest BOOL FALSE Variable.Operator intervention - request to unlock the guard.FALSE: No request.TRUE: Request made.
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AutoReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Also used to request the guard to be locked again.The quality of the signal must conform to a manualreset device (EN 954-1 Ch. 5.4)
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_GuardLocked BOOL FALSE Interface to hazardous area which must be stopped.FALSE: No safe state.TRUE: Safe state.
S_UnlockGuard BOOL FALSE Signal to unlock the guard.FALSE: Close guard.TRUE: Unlock guard.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 243
Name Data type Initial value Description, parameter valuesError BOOL FALSE Ä Table 17 “General output parameters”
on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Fig. 107: Timing diagram for SF_GuardLocking
Static signals are detected at Reset. Errors are detected at the guard switches.
In the event of an error the S_GuardLocked and S_UnlockGuard outputs are set to FALSE, theDiagCode output indicates the relevant error code, and the Error output is set to TRUE.An error must be acknowledged by a rising trigger at the Reset input.
Typical timingdiagram
Error behavior
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US244
Table 46: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error1 Static Reset detected in state 8001.
Ready = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = TRUE
C002 Reset Error2
Static Reset detected in state C004.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = TRUE
C003 Reset Error3
Static Reset detected in state 8011.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = TRUE
C004 Safety Lost Safety lost, guard opened or guard unlocked.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = TRUE
Table 47: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_GuardLocked = FALSES_UnlockGuard = FALSEError = FALSE
8000 GuardClosed andLocked
Guard is locked.Ready = TRUES_GuardLocked = TRUES_UnlockGuard = FALSEError = FALSE
8001 Init Function block was activated and initiated.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = FALSE
Function block-specific errorand statuscodes
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 245
DiagCode State name State description and output setting8003 Wait for
ResetDoor is closed and locked, now waiting for operator resetReady = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = FALSE
8011 Wait forOperator
Waiting for operator to either unlock request or reset.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = FALSE
8012 Guard OpenandUnlocked
Lock is released and guard is open.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = TRUEError = FALSE
8013 GuardClosed butUnlocked
Lock is released but guard is closed.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = TRUEError = FALSE
8014 SafetyReturn
Return of S_SafetyActive signal, now waiting for operatoracknowledge.Ready = TRUES_GuardLocked = FALSES_UnlockGuard = FALSEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US246
4.6.4.11 SF_TestableSafetySensor
Standards RequirementsIEC 61496-1:2004 4.2.2.3 Particular requirements for a type 2 ESPE
A type 2 ESPE shall have means of periodic test to reveal a failure to danger (for example,loss of detection capability, response time exceeding that specified).A single fault resulting in the loss of detection capability or the increase in response timebeyond the specified time or preventing one or more of the OSSDs going to the OFF-state,shall result in a lock-out condition as a result of the next periodic test.Where the periodic test is intended to be initiated by an external (for example, machine)safety-related control system, the ESPE shall be provided with suitable input facilities (forexample, terminals).The duration of the periodic test shall be such that the intended safety function is notimpaired.Note: If the type 2 ESPE is intended for use as a trip device (for example, when used as aperimeter guard), and the duration of the periodic test is greater than 150 ms, it is possiblefor a person to pass through the detection zone without being detected. In this case, arestart interlock should be included.If the periodic test is automatically initiated, the correct functioning of the periodic test shallbe monitored and a single fault in the parts implementing the monitoring function shall bedetected. In the event of a fault, the OSSD(s) shall be signaled to go to the OFF-state.If one or more OSSDs do not go to the OFF-state, a lock-out condition shall be initiated.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
This function block detects, for example, the loss of the sensing unit detection capability, theresponse time exceeding that specified, and static ON signal in single-channel sensor systems.It can be used for external testable safety sensors (ESPE: electro-sensitive protective equip-ment, such as a light beam).
Table 48: FB name: SF_TestableSafetySensorName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_OSSD_In BOOL FALSE Variable.Status of sensor output, e.g., light curtain.FALSE: Safety sensor in test state or demand forsafety-related response.TRUE: Sensor in the state for normal operating con-ditions.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 247
Name Data type Initial value Description, parameter valuesStartTest BOOL FALSE Variable.
Input to start sensor test. Sets "S_TestOut" and startsthe internal time monitoring function in the FB.FALSE: No test requested.TRUE: Test requested.
NoExternalTest BOOL FALSE Constant.Indicates if external manual sensor test is supported.FALSE: The external manual sensor test is sup-ported. Only after a complete manual sensorswitching sequence, an automatic test is possibleagain after a faulty automatic sensor test.TRUE: The external manual sensor test is not sup-ported.An automatic test is possible again without a manualsensor switching sequence after faulty automaticsensor test.
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AutoReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
TestTime TIME T#10ms Constant. Range: 0 ... 150ms.Test time of safety sensor.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_OSSD_Out BOOL FALSE Safety related output indicating the status of theESPE.FALSE: The sensor has a safety-related actionrequest or test error. TRUE: The sensor has nosafety-related action request and no test error.
S_TestOut BOOL TRUE Coupled with the test input of the sensor.FALSE: Test request issued.TRUE: No test request.
TestPossible BOOL FALSE Feedback signal to the process.FALSE: An automatic sensor test is not possible.TRUE: An automatic sensor test is possible.
TestExecuted BOOL FALSE A positive signal edge indicates the successful exe-cution of the automatic sensor test.FALSE:- An automatic sensor test was not executed yet.- An automatic sensor test is active.- An automatic sensor test was faulty.TRUE: A sensor test was executed successfully.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US248
Name Data type Initial value Description, parameter valuesError BOOL FALSE Ä Table 17 “General output parameters”
on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Fig. 108: Timing diagram for SF_TestableSafetySensor
The following conditions force a transition to the error state:● Test time overrun without delayed sensor feedback.● Test without sensor signal feedback.● Invalid static reset signal in the process.● Plausibility check of the monitoring time setting.In the event of an error, the S_OSSD_Out output is set to FALSE and remains in this safe state.Once the error has been removed and the sensor is on (S_OSSD_In = TRUE) - a resetremoves the error state and sets the S_OSSD_Out output to TRUE.If S_AutoReset = FALSE, a rising trigger is required at Reset.
Typical timingdiagram
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 249
After transition of S_OSSD_In to TRUE, the optional startup inhibit can be reset by a rising edgeat the Reset input.After block activation, the optional startup inhibit can be reset by a rising edge at the Resetinput.
Table 49: FB-specific error codesDiagCode State name State description and output settingC000 Parameter
ErrorInvalid value at the TestTime parameter.Values between 0 ms and 150 ms are possible.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
C001 Reset Error1
Static Reset condition detected after FB activation.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
C002 Reset Error2
Static Reset condition detected in state 8003.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
C003 Reset Error3
Static Reset condition detected in state C010.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
C004 Reset Error4
Static Reset condition detected in state C020.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US250
DiagCode State name State description and output settingC005 Reset Error
5Static Reset condition detected in state 8006.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
C006 Reset Error6
Static Reset condition detected in state C000.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
C007 Reset Error7
Static Reset condition detected in state 8013.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = TRUEError = TRUE
C010 Test Error 1 Test time elapsed in state 8020.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
C020 Test Error 2 Test time elapsed in state 8030.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = TRUE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 251
Table 50: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
8001 Init An activation has been detected by the FB.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
8002 ESPE Inter-rupted 1
The FB has detected a safety demand.The switch has not been automatically tested yet.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
8003 Wait forReset 1
Wait for rising trigger of Reset after state 8002.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
8004 ExternalFunctionTest
The automatic sensor test was faulty.An external manual sensor test is necessary.The support for the necessary external manual sensor test hasbeen activated at the FB (NoExternalTest = FALSE).A negative signal edge at the sensor is required.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US252
DiagCode State name State description and output setting8005 ESPE Inter-
ruptedExternal Test
The automatic sensor test was faulty.An external manual sensor test is necessary.The support for the necessary external manual sensor test hasbeen activated at the FB (NoExternalTest = FALSE).A TRUE signal at the sensor is required.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
8006 End ExternalTest
The automatic sensor test was faulty.An external manual sensor test is necessary.The support for the necessary external manual sensor test hasbeen activated at the FB (NoExternalTest = FALSE).The external manual test is complete.The FB detected a complete sensor switching cycle (externallycontrolled).Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
8010 ESPE FreeNo Test
The FB has not detected a safety demand.The sensor has not been tested automatically.Ready = TRUES_OSSD_Out = TRUES_TestOut = TRUETestPossible = TRUETestExecuted = FALSEError = FALSE
8020 Test Request The automatic sensor test is active. Test Timer is started firsttime.The transmitter signal of the sensor is switched off by the FB.The signal of the receiver must follow the signal of the transmitter.Ready = TRUES_OSSD_Out = TRUES_TestOut = FALSETestPossible = FALSETestExecuted = FALSEError = FALSE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 253
DiagCode State name State description and output setting8030 Test Active The automatic sensor test is active. Test Timer is started second
time.The transmitter signal of the sensor is switched on by the FB.The signal of the receiver must follow the signal of the transmitter.Ready = TRUES_OSSD_Out = TRUES_TestOut = TRUETestPossible = FALSETestExecuted = FALSEError = FALSE
8000 ESPE FreeTest ok
The FB has not detected a safety demand.The sensor was automatically tested.Ready = TRUES_OSSD_Out = TRUES_TestOut = TRUETestPossible = TRUETestExecuted = TRUEError = FALSE
8012 ESPE Inter-rupted 2
The FB has detected a safety demand.The switch was automatically tested.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = TRUEError = FALSE
8013 Wait forReset 2
Wait for rising trigger of Reset after state 8012.Ready = TRUES_OSSD_Out = FALSES_TestOut = TRUETestPossible = FALSETestExecuted = TRUEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US254
4.6.4.12 SF_MutingSeq
Standards RequirementsIEC 61496-1:2004 A.7 Muting
A.7.1.2 There shall be at least two independent hard-wired muting signal sources to initiatethe function. It shall not be possible to initiate muting when the OSSDs are already in theOFF-state.A.7.1.3 The mute function shall only be initiated by the correct sequence and/or timing ofthe mute signals. Should conflicting muting signals occur, the ESPE shall not allow a mutedcondition to occur.A.7.1.4 There shall be at least two independent hard-wired muting signal sources to stop thefunction. The muting function shall stop when the first of these muting signals changes state.The deactivation of the muting function shall not rely only on the clearance of the ESPE.A.7.1.5 The muting signals should be continuously present during muting. When the signalsare not continuously present, an incorrect sequence and/or the expiration of a pre-set timelimit shall cause either a lock-out condition or a restart interlock.A.7.4 Indication: A mute status signal or indicator shall be provided (in some applications, anindication signal of muting is necessary)
IEC62046/Ed. 1:2005
5.5.1: ... an indicator to show when the muting function is active can be necessary.The muting function shall be initiated and terminated automatically ... Incorrect signals,sequence, or timing of the muting sensors or signals shall not allow a mute condition. It shallnot be possible to initiate the muting function when:● the protective equipment OSSDs are in the OFF-state;● the protective equipment is in the lock-out condition.● initiation of the muting function by two or more independent muting sensors such that a
single fault cannot cause a muted condition;● termination of the muting function by two or more independent muting sensors such that
deactivation of one sensor will terminate the muting function;● use of timing and sequence control of the muting sensors to ensure correct muting
operation.5.5.3: The following measures shall be considered: ...● limiting muting to a fixed time that is only sufficient for the material to pass through the
detection zone. When this time is exceeded, the muting function should be canceled andall hazardous movements stopped.
Annex F.3 Four beams - sequence control: (refer also to Fig. F.3.1 and table F.1 in thestandard)The initiation of the muting function depends on monitoring the correct sequence of activa-tion of the muting sensors. For example, in the muted condition, if S2 (in this documentMS_12) is deactivated before S3 (in this document MS_21) is activated, muting is termi-nated.Annex F.5: Methods to avoid manipulation of the muting function: ... use a muting enablecommand generated by the control system of the machine that will only enable the mutingfunction when needed by the machine cycle.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 255
Muting is the intended suppression of the safety function (e.g., light barriers). In this FB,sequential muting with four muting sensors is specified.Muting is the intended suppression of the safety function. This is required, e.g., when trans-porting the material into the danger zone without causing the machine to stop. Muting is trig-gered by muting sensors. The use of two or four muting sensors and correct integration into theproduction sequence must ensure that no persons enter the danger zone while the light curtainis muted. Muting sensors can be proximity switches, photoelectric barriers, limit switches, etc.which do not have to be fail-safe. Active muting mode must be indicated by indicator lights.There are sequential and parallel muting procedures. In this FB, sequential muting with fourmuting sensors was used; an explanation for the forward direction of transportation is providedbelow. The FB can be used in both directions, forward and backward. The muting should beenabled with the MutingEnable signal by the process control to avoid manipulation. When theMutingEnable signal is not available, this input must be set to TRUE.The FB input parameters include the signals of the four muting sensors (MutingSwitch11 ...MutingSwitch22) as well as the OSSD signal from the AOPD device (S_AOPD_In).The S_StartReset input shall only be activated if it is ensured that no hazardous situation canoccur when the PES is started.
Table 51: FB name: SF_MutingSeqName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AOPD_In BOOL FALSE Variable.OSSD signal from AOPD.FALSE: Protection field interrupted.TRUE: Protection field not interrupted.
MutingSwitch11 BOOL FALSE Variable.Status of muting sensor 11.FALSE: Muting sensor 11 not actuated.TRUE: Workpiece actuates muting sensor 11.
MutingSwitch12 BOOL FALSE Variable.Status of muting sensor 12.FALSE: Muting sensor 12 not actuated.TRUE: Workpiece actuates muting sensor 12.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US256
Name Data type Initial value Description, parameter valuesMutingSwitch21 BOOL FALSE Variable.
Status of muting sensor 21.FALSE: Muting sensor 21 not actuated.TRUE: Workpiece actuates muting sensor 21.
MutingSwitch22 BOOL FALSE Variable.Status of muting sensor 22.FALSE: Muting sensor 22 not actuated.TRUE: Workpiece actuates muting sensor 22.
S_MutingLamp BOOL FALSE Variable or constant.Indicates operation of the muting lamp.FALSE: Muting lamp failure.TRUE: No muting lamp failure
MutingEnable BOOL FALSE Variable or constant.Command by the control system that enables thestart of the muting function when needed by themachine cycle. After the start of the muting function,this signal can be switched off.FALSE: Muting not enabledTRUE: Start of muting function enabled
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
MaxMutingTime TIME T#0s Constant 0 .. 10 min;Maximum time for complete muting sequence, timerstarted when first muting sensor is actuated.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_AOPD_Out BOOL FALSE Safety related output, indicates status of the mutedguard.FALSE: AOPD protection field interrupted and mutingnot active.TRUE: AOPD protection field not interrupted ormuting active.
S_MutingActive BOOL FALSE Indicates status of Muting process.FALSE: Muting not active.TRUE: Muting active.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Note: A short circuit in the muting sensor signals or a functional application error to supply thesesignals is not detected by this FB but interpreted as incorrect muting sequence. However, thiscondition should not lead to unwanted muting. The user should take care to include this in hisrisk analysis.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 257
1
Transmitter
ReceiverMS_11 MS_12 MS_21 MS_22
Dangerzone
If muting sensor MutingSwitch12 (MS_12) is activated by the product after MutingSwitch11(MS_11), the muting mode is activated.2
Transmitter
ReceiverMS_11 MS_12 MS_21 MS_22
Dangerzone
Muting mode remains active as long as MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12)are activated by the product. The product may pass through the light curtain without causing amachine stop.3
Transmitter
ReceiverMS_11 MS_12 MS_21 MS_22
Dangerzone
Before muting sensors MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are disabled,muting sensors MutingSwitch21 (MS_21) and MutingSwitch22 (MS_22) must be activated. Thisensures that muting mode remains active.4
Transmitter
ReceiverMS_11 MS_12 MS_21 MS_22
Dangerzone
Muting mode is terminated if only muting sensor MutingSwitch22 (MS_22) is activated by theproduct.
Forward directionMuting condition 1 (to state 8011) (MS_11 is the first actuated entry switch). Start timerMaxMutingTime:MutingEnable AND (R_TRIG at MS_11 AND NOT MS_12 AND NOT MS_21 AND NOT MS_22)Muting condition 2 (from state 8011 to state 8012) (MS_12 is the second actuated entry switch):MutingEnable AND (MS_11 AND R_TRIG at MS_12 AND NOT MS_21 AND NOT MS_22)Muting condition 3 (from state 8012 to state 8000) (MS_21 is the first released exit switch). Stoptimer MaxMutingTime:
Example forSF_MutingSeqin forward direc-tion with foursensors
Muting condi-tions
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US258
NOT MS_11 AND NOT MS_12 AND F_TRIG at MS_21 AND MS_22Backward directionMuting condition 11 (to state 8122) (MS_22 is the first actuated entry switch). Start timerMaxMutingTime:MutingEnable AND (NOT MS_11 AND NOT MS_12 AND NOT MS_21 AND R_TRIG at MS_22)Muting condition 12 (from state 8122 to state 8112) (MS_21 is the second actuated entryswitch):MutingEnable AND (NOT MS_11 AND NOT MS_12 AND R_TRIG at MS_21 AND MS_22)Muting condition 13 (MS_12 is the first released exit switch). Stop timer MaxMutingTime:MS_11 AND F_TRIG at MS_12 AND NOT MS_21 AND NOT MS_22
In state 8000 - (NOT MutingEnable AND R_TRIG at MS_11) OR (NOT MutingEnable ANDR_TRIG at MS_22) OR (MS_12 OR MS_21) OR (MS_11 AND MS_22)
In state 8011 - NOT MutingEnable OR NOT MS_11 OR MS_21 OR MS_22In state 8012 - R_TRIG at MS_11 OR R_TRIG at MS_12 OR F_TRIG at MS_22In state 8122 - NOT MutingEnable OR MS_11 OR MS_12 OR NOT MS_22In state 8112 - F_TRIG at MS_11 OR R_TRIG at MS_21 OR R_TRIG at MS_22
Fig. 109: Timing diagram for SF_MutingSeq with S_StartReset = TRUE
The FB detects the following error conditions:● Muting sensors MutingSwitch11, MutingSwitch12, MutingSwitch21, and MutingSwitch22 are
activated in the wrong order.● Muting sequence starts without being enabled by MutingEnable.● A faulty muting lamp is indicated by S_MutingLamp = FALSE.
Specification ofwrong mutingsequences:
Typical timingdiagram
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 259
● A static Reset condition.● MaxMutingTime has been set to a value less than T#0s or greater than T#10min.● The muting function (S_MutingActive = TRUE) exceeds the maximum muting time
MaxMutingTime.
In the event of an error, the S_AOPD_Out and S_MutingActive outputs are set to FALSE. TheDiagCode output indicates the relevant error code and the Error output is set to TRUE.A restart is inhibited until the error conditions are cleared and the safe state is acknowledgedwith Reset by the operator.
Table 52: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Static Reset condition detected after FB activation.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C002 Reset Error2
Static Reset condition detected in state 8003.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C003 Error Mutinglamp
Error detected in muting lamp.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
CYx4 Error Mutingsequence
Error detected in muting sequence in states 8000, 8011, 8012,8112 or 8122.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUEY = Status in the sequence (2 states for forward and 2 states forbackward direction).C0x4 = Error occurred in state 8000C1x4 = Error occurred in state Forward 8011C2x4 = Error occurred in state Forward 8012C3x4 = Error occurred in state Backward 8122C4x4 = Error occurred in state Backward 8112CFx4 = Muting enable missingx = Status of the sensors when error occurred (4 bits: LSB =MS_11; MS_12; MS_21; MSB = MS_22).
Error behavior
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US260
DiagCode State name State description and output settingC005 Parameter
ErrorMaxMutingTime value out of range.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C006 Error TimerMaxMuting
Timing error: Active muting time (when S_MutingActive = TRUE)exceeds MaxMutingTime.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
Table 53: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8000 AOPD Free Muting not active and no safety demand from AOPD.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
8001 Init Function block has been activated.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8002 SafetyDemandAOPD
Safety demand detected by AOPD, muting not active.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8003 Wait forReset
Safety demand or errors have been detected and are nowcleared. Operator acknowledgment by Reset required.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 261
DiagCode State name State description and output setting8005 Safe Safety function activated.
Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8011 Muting For-ward Start
Muting forward, sequence is in starting phase and no safetydemand.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
8012 Muting For-ward Active
Muting forward, sequence is active.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8112 Muting Back-ward Active
Muting backward, sequence is active.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8122 Muting Back-ward Start
Muting backward, sequence is in starting phase and no safetydemand.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US262
4.6.4.13 SF_MutingPar
Standards RequirementsIEC 61496-1:2004 A.7 Muting
A.7.1.2 There shall be at least two independent hard-wired muting signal sources to initiatethe function. It shall not be possible to initiate muting when the OSSDs are already in theOFF-state.A.7.1.3 The mute function shall only be initiated by the correct sequence and/or timing ofthe mute signals. Should conflicting muting signals occur, the ESPE shall not allow a mutedcondition to occur.A.7.1.4 There shall be at least two independent hard-wired muting signal sources to stop thefunction. The muting function shall stop when the first of these muting signals changes state.The deactivation of the muting function shall not rely only on the clearance of the ESPE.A.7.1.5 The muting signals should be continuously present during muting. When the signalsare not continuously present, an incorrect sequence and/or the expiration of a pre-set timelimit shall cause either a lock-out condition or a restart interlock.A.7.4 Indication: A mute status signal or indicator shall be provided (in some applications, anindication signal of muting is necessary.
IEC62046/Ed. 1:2005
5.5.1: ... an indicator can be necessary to show when the muting function is active.The muting function shall be initiated and terminated automatically ... Incorrect signals,sequence, or timing of the muting sensors or signals shall not allow a mute condition. It shallnot be possible to initiate the muting function when:● the protective equipment OSSDs are in the OFF-state;● the protective equipment is in the lock-out condition;● initiation of the muting function by two or more independent muting sensors such that a
single fault cannot cause a muted condition;● termination of the muting function by two or more independent muting sensors such that
deactivation of one sensor will terminate the muting function;● use of timing and sequence control of the muting sensors to ensure correct muting
operation.5.5.3: The following measures shall be considered: ...● limiting muting to a fixed time that is only sufficient for the material to pass through the
detection zone. When this time is exceeded, the muting function should be canceled andall hazardous movements stopped;
Annex F.2 Four beams - timing control: (refer also to Fig. F.2.4 in the standard): The moni-toring of the muting function is based on time limitation between the actuation of the sensorsS1 (in this document MS_11) and S2 (in this document MS_12) and between the actuationof sensors S3 (in this document MS_21) and S4 (in this document MS_22). A maximum timelimit of 4 s is recommended. The muting function is initiated by the two sensors S1, S2 andmaintained by the two sensors S3, S4; this means that for a certain time all the four sensorsare activated. The muting function is terminated when S3 or S4 is deactivated.Annex F.5: Methods to avoid manipulation of the muting function: ... use a muting enablecommand generated by the control system of the machine that will only enable the mutingfunction when needed by the machine cycle.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 263
Muting is the intended suppression of the safety function. In this FB, parallel muting with fourmuting sensors is specified.This is required, e.g., when transporting the material into the danger zone without causingthe machine to stop. Muting is triggered by muting sensors. The use of two or four mutingsensors and correct integration into the production sequence must ensure that no persons enterthe danger zone while the light curtain is muted. Muting sensors can be proximity switches,photoelectric barriers, limit switches, etc. which do not have to be fail-safe. Active muting modemust be indicated by indicator lights.There are sequential and parallel muting procedures. In this FB, parallel muting with four mutingsensors was used; an explanation is provided below. The FB can be used in both directions,forward and backward. The muting should be enabled with the MutingEnable signal by theprocess control to avoid manipulation.The FB input parameters include the signals of the four muting sensors (MutingSwitch11 ..MutingSwitch22), the OSSD signal from the AOPD device (S_AOPD_In) as well as threeparameterizable times (DiscTime11_12, DiscTime21_22 and MaxMutingTime).The S_StartReset input shall only be activated if it is ensured that no hazardous situation canoccur when the PES is started.
Table 54: FB name: SF_MutingParName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AOPD_In BOOL FALSE Variable.OSSD signal from AOPD.FALSE: Protection field interrupted.TRUE: Protection field not interrupted.
MutingSwitch11 BOOL FALSE Variable.Status of muting sensor 11.FALSE: Muting sensor 11 not actuated.TRUE: Workpiece actuates muting sensor 11.
MutingSwitch12 BOOL FALSE Variable.Status of muting sensor 12.FALSE: Muting sensor 12 not actuated.TRUE: Workpiece actuates muting sensor 12.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US264
Name Data type Initial value Description, parameter valuesMutingSwitch21 BOOL FALSE Variable.
Status of muting sensor 21.FALSE: Muting sensor 21 not actuated.TRUE: Workpiece actuates muting sensor 21.
MutingSwitch22 BOOL FALSE Variable.Status of muting sensor 22.FALSE: Muting sensor 22 not actuated.TRUE: Workpiece actuates muting sensor 22.
S_MutingLamp BOOL FALSE Variable or constant.Indicates operation of the muting lamp.FALSE: Muting lamp failure.TRUE: No muting lamp failure.
MutingEnable BOOL FALSE Variable or constant.Command by the control system that enables thestart of the muting function when needed by themachine cycle. After the start of the muting function,this signal can be switched off.FALSE: Muting not enabledTRUE: Start of muting function enabled
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
DiscTime11_12 TIME T#0s Constant 0..4 s;Maximum discrepancy time for MutingSwitch11 andMutingSwitch12.
DiscTime21_22 TIME T#0s Constant 0..4 s;Maximum discrepancy time for MutingSwitch21 andMutingSwitch22.
MaxMutingTime TIME T#0s Constant 0..10 min;Maximum time for complete muting sequence, timerstarted when first muting sensor is actuated.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_AOPD_Out BOOL FALSE Safety related output, indicates status of the mutedguard.FALSE: AOPD protection field interrupted and mutingnot active.TRUE: AOPD protection field not interrupted ormuting active.
S_MutingActive BOOL FALSE Indicates status of muting process.FALSE: Muting not active.TRUE: Muting active.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 265
Name Data type Initial value Description, parameter valuesError BOOL FALSE Ä Table 17 “General output parameters”
on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Note: A short circuit in the muting sensor signals or a functional application error to supply thesesignals is not detected by this FB. However, this condition should not lead to unwanted muting.The user should take care to include this in his risk analysis.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US266
1
Transmitter
Receiver
MS_11
MS_12
MS_21
MS_22
Dangerzone
If the muting sensors MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are activated bythe product within the time DiscTime11_12, muting mode is activated (S_MutingActive = TRUE).2
Transmitter
Receiver
MS_11
MS_12
MS_21
MS_22
Dangerzone
Muting mode remains active as long as MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12)are activated by the product. The product may pass through the light curtain without causing amachine stop.3
Transmitter
Receiver
MS_11
MS_12
MS_21
MS_22
Dangerzone
Before muting sensors MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are disabled,muting sensors MutingSwitch21 (MS_21) and MutingSwitch22 (MS_22) must be activated. Thisensures that muting mode remains active. The time discrepancy between switching of MutingS-witch21 and MutingSwitch22 is monitored by the time DiscTime21_22.4
Transmitter
Receiver
MS_11
MS_12
MS_21
MS_22
Dangerzone
Muting mode is terminated if either muting sensor MutingSwitch21 (MS_21) or MutingSwitch22(MS_22) is disabled by the product. The maximum time for muting mode to be active is theMaxMutingTime.
Forward directionMuting condition 1 (to state 8011) (MS_11 is the first actuated entry switch). Start timersMaxMutingTime and DiscTime11_12:MutingEnable AND (R_TRIG at MS_11 AND NOT MS_12 AND NOT MS_21 AND NOT MS_22)Muting condition 1 (to state 8311) (MS_12 is the first actuated entry switch). Start timersMaxMutingTime and DiscTime11_12:MutingEnable AND (NOT MS_11 AND R_TRIG at MS_12 AND NOT MS_21 AND NOT MS_22)
Example forSF_MutingPar inforward direc-tion with foursensors
Muting condi-tions
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 267
Muting condition 2 (from state 8011) (MS_12 is the second actuated entry switch). Stop timerDiscTime11_12:MutingEnable AND (MS_11 AND R_TRIG at MS_12 AND NOT MS_21 AND NOT MS_22)Muting condition 2 (from state 8311) (MS_11 is the second actuated entry switch). Stop timerDiscTime11_12:MutingEnable AND (R_TRIG at MS_11 AND MS_12 AND NOT MS_21 AND NOT MS_22)Muting condition 3 (both entry switches are actuated in same cycle). Start timerMaxMutingTime:MutingEnable AND (R_TRIG at MS_11 AND R_TRIG at MS_12 AND NOT MS_21 AND NOTMS_22)Muting condition 4 (all switches are actuated): MS_11 AND MS_12 AND MS_21 AND MS_22Muting condition 24 (to state 8014) (MS_21 is the first actuated exit switch). Start timer Dis-cTime21_22:MS_11 AND MS_12 AND R_TRIG at MS_21 AND NOT MS_22Muting condition 24 (to state 8314) (MS_22 is the first actuated exit switch). Start timer Dis-cTime21_22:MS_11 AND MS_12 AND NOT MS_21 AND R_TRIG at MS_22Muting condition 25 (from state 8014) (MS_22 is the second actuated exit switch). Stop timerDiscTime21_22:MS_11 AND MS_12 AND MS_21 AND R_TRIG at MS_22Muting condition 25 (from state 8314) (MS_21 is the second actuated exit switch). Stop timerDiscTime21_22:MS_11 AND MS_12 AND R_TRIG at MS_21 AND MS_22Muting condition 5 (one of the exit is switches is released). Stop timer MaxMutingTime:NOT MS_11 AND NOT MS_12 AND (F_TRIG at MS_21 OR F_TRIG at MS_22)Backward directionMuting condition 11 (to state 8122) (MS_21 is the first actuated entry switch). Start timersMaxMutingTime and DiscTime21_22:MutingEnable AND (NOT MS_22 AND R_TRIG at MS_21 AND NOT MS_11 AND NOT MS_12)Muting condition 11 (to state 8422) (MS_22 is the first actuated entry switch). Start timersMaxMutingTime and DiscTime21_22:MutingEnable AND (R_TRIG at MS_22 AND NOT MS_21 AND NOT MS_11 AND NOT MS_12)Muting condition 12 (from state 8122) (MS_22 is the second actuated entry switch). Stop timerDiscTime21_22:MutingEnable AND (MS_21 AND R_TRIG at MS_22 AND NOT MS_11 AND NOT MS_12)Muting condition 12 (from state 8422) (MS_21 is the second actuated entry switch). Stop timerDiscTime21_22:MutingEnable AND (R_TRIG at MS_21 AND MS_22 AND NOT MS_11 AND NOT MS_12)Muting condition 13 (both entry switches are actuated in same cycle). Start timerMaxMutingTime:MutingEnable AND (R_TRIG at MS_21 AND R_TRIG at MS_22 AND NOT MS_11 AND NOTMS_12)Muting condition 14 (all switches are actuated): MS_11 AND MS_12 AND MS_21 AND MS_22Muting condition 44 (to state 8114) (MS_11 is the first actuated exit switch). Start timer Dis-cTime11_12:MS_21 AND MS_22 AND R_TRIG at MS_11 AND NOT MS_12Muting condition 44 (to state 8414) (MS_12 is the first actuated exit switch). Start timer Dis-cTime11_12:
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US268
MS_21 AND MS_22 AND NOT MS_11 AND R_TRIG at MS_12Muting condition 45 (from state 8114) (MS_12 is the second actuated exit switch). Stop timerDiscTime11_12:MS_21 AND MS_22 AND MS_11 AND R_TRIG at MS_12Muting condition 45 (from state 8414) (MS_11 is the second actuated exit switch). Stop timerDiscTime11_12:MS_21 AND MS_22 AND R_TRIG at MS_11 AND MS_12Muting condition 15 (one of the exit switches is released). Stop timer MaxMutingTime:NOT MS_21 AND NOT MS_22 AND (F_TRIG at MS_11 OR F_TRIG at MS_12)
State 8000 - (MutingEnable = FALSE when muting sequence starts) OR((MS_11 OR MS_12) AND (MS_21 OR MS_22)) OR(R_TRIG at MS_11 AND MS_12 AND NOT R_TRIG at MS_12) OR(R_TRIG at MS_12 AND MS_11 AND NOT R_TRIG at MS_11) OR(R_TRIG at MS_21 AND MS_22 AND NOT R_TRIG at MS_22) OR(R_TRIG at MS_22 AND MS_21 AND NOT R_TRIG at MS_21) OR((MS_11 AND NOT R_TRIG at MS_11) AND (MS_12 AND NOT R_TRIG atMS_12)) OR((MS_21 AND NOT R_TRIG at MS_21) AND (MS_22 AND NOT R_TRIG atMS_22))
State 8011 - NOT MutingEnable OR NOT MS_11 OR MS_21 OR MS_22State 8311 - NOT MutingEnable OR NOT MS_12 OR MS_21 OR MS_22State 8012 - NOT MS_11 OR NOT MS_12State 8021 - R_TRIG at MS_11 OR R_TRIG at MS_12 OR R_TRIG at MS_21 OR R_TRIG at
MS_22State 8014 - NOT MS_11 OR NOT MS_12 OR NOT MS_21State 8314 - NOT MS_11 OR NOT MS_12 OR NOT MS_22State 8122 - NOT MutingEnable OR MS_11 OR MS_12 OR NOT MS_21State 8422 - NOT MutingEnable OR MS_11 OR MS_12 OR NOT MS_22State 8121 - NOT MS_21 OR NOT MS_22State 8112 - R_TRIG at MS_11 OR R_TRIG at MS_12 OR R_TRIG at MS_21 OR R_TRIG at
MS_22State 8114 - NOT MS_21 OR NOT MS_22 OR NOT MS_11State 8414 - NOT MS_21 OR NOT MS_22 OR NOT MS_12
Wrong mutingsequences:
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 269
Activate
MutingEnable
S_AOPD_Out
MutingSwitch11
MutingSwitch12
MutingSwitch21
MutingSwitch22
S_AOPD_In
S_MutingAcitve
DiagCode
Error
8000 8000/8011 8012 8012 8012 8014 8021 8021 8021 8021 8000 8000
Fig. 110: Timing diagram for SF_MutingPar
The FB detects the following error conditions:● DiscTime11_12 and DiscTime21_22 have been set to values less than T#0s or greater than
T#4s.● MaxMutingTime has been set to a value less than T#0s or greater than T#10min.● The discrepancy time for the MutingSwitch11/MutingSwitch12 or MutingSwitch21/MutingS-
witch22 sensor pairs has been exceeded.● The muting function (S_MutingActive = TRUE) exceeds the maximum muting time
MaxMutingTime.● Muting sensors MutingSwitch11, MutingSwitch12, MutingSwitch21, and MutingSwitch22 are
activated in the wrong order.● Muting sequence starts without being enabled by MutingEnable.● A faulty muting lamp is indicated by S_MutingLamp = FALSE.● A static Reset condition is detected in states 8001 and 8003.
In the event of an error, the S_AOPD_Out and S_MutingActive outputs are set to FALSE. TheDiagCode output indicates the relevant error code and the Error output is set to TRUE.A restart is inhibited until the error conditions are cleared and the safe state is acknowledgedwith Reset by the operator.
Typical timingdiagram
Error behavior
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US270
Table 55: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Static Reset condition detected after FB activation in state 8001.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C002 Reset Error2
Static Reset condition detected in state 8003.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C003 Error MutingLamp
Error detected in muting lamp.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
CYx4 Error Mutingsequence
Error detected in muting sequence state 8000, 8011, 8311, 8012,8021, 8014, 8314, 8122, 8422, 8121, 8112, 8114 or 8414.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUEY = Status in the sequence (6 states for forward and 6 states forbackward direction).C0x4 = Error occurred in state 8000C1x4 = Error occurred in state Forward 8011C2x4 = Error occurred in state Forward 8311C3x4 = Error occurred in state Forward 8012C4x4 = Error occurred in state Forward 8014C5x4 = Error occurred in state Forward 8314C6x4 = Error occurred in state Forward 8021C7x4 = Error occurred in state Backward 8122C8x4 = Error occurred in state Backward 8422C9x4 = Error occurred in state Backward 8121CAx4 = Error occurred in state Backward 8114CBx4 = Error occurred in state Backward 8414CCx4 = Error occurred in state Backward 8112...CFx4 = Muting enable missingx = Status of sensors when error occurred (4 bits: LSB = MS_11;MS_12; MS_21; MSB = MS_22).
Function block-specific errorand statuscodes
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 271
DiagCode State name State description and output settingC005 Parameter
ErrorDiscTime11_12, DiscTime21_22 or MaxMutingTime value out ofrange.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C006 Error TimerMaxMuting
Timing error: Active muting time (when S_MutingActive = TRUE)exceeds MaxMutingTime.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C007 Error TimerMS11_12
Timing error: Discrepancy time for switching MutingSwitch11 andMutingSwitch12 > DiscTime11_12.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C008 Error TimerMS21_22
Timing error: Discrepancy time for switching MutingSwitch21 andMutingSwitch22 > DiscTime21_22.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
Table 56: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8000 AOPD Free Muting not active and no safety demand from AOPD. If timersfrom subsequent muting are still running, they are stopped.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US272
DiagCode State name State description and output setting8001 Init Function block has been activated.
Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8002 SafetyDemandAOPD
Safety demand detected by AOPD, muting not active.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8003 Wait forReset
Safety demand or errors have been detected and are nowcleared. Operator acknowledgment by Reset required.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8005 Safe Safety function activated.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8011 Muting For-ward Start 1
Muting forward sequence is in starting phase after rising triggerof MutingSwitch 11. Monitoring of DiscTime11_12 is activated.Monitoring of MaxMutingTime is activated.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
8311 Muting For-ward Start 2
Muting forward sequence is in starting phase after rising triggerof MutingSwitch 12. Monitoring of DiscTime11_12 is activated.Monitoring of MaxMutingTime is activated.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 273
DiagCode State name State description and output setting8012 Muting For-
ward Active1
Muting forward sequence is active either:- After rising trigger of the second entry MutingSwitch 12 or 11has been detected.- When both MutingSwitch 11 and 12 have been actuated in thesame cycle.Monitoring of DiscTime11_12 is stopped. Monitoring ofMaxMutingTime is activated, when transition came directly fromstate 8000.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8014 Muting For-ward Step 1
Muting forward sequence is active. MutingSwitch21 is the firstactuated exit switch. Monitoring of DiscTime21_22 is started.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8314 Muting For-ward Step 2
Muting forward sequence is active. MutingSwitch22 is the firstactuated exit switch. Monitoring of DiscTime21_22 is started.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8021 Muting For-ward Active2
Muting forward sequence is still active. Both MutingSwitch21 and22 are actuated, the monitoring of DiscTime21_22 is stopped.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8122 Muting Back-ward Start 1
Muting backward sequence is in starting phase after rising triggerof MutingSwitch21. Monitoring of DiscTime21_22 is activated.Monitoring of MaxMutingTime is activated.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
8422 Muting Back-ward Start 2
Muting backward sequence is in starting phase after rising triggerof MutingSwitch22. Monitoring of DiscTime21_22 is activated.Monitoring of MaxMutingTime is activated.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US274
DiagCode State name State description and output setting8121 Muting Back-
ward Active1
Muting backward sequence is active either:- After rising trigger of the second entry MutingSwitch 21 or 22has been detected.- When both MutingSwitch 21 and 22 have been actuated in thesame cycle.Monitoring of DiscTime21_22 is stopped. Monitoring ofMaxMutingTime is activated, when transition came directly fromstate 8000.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8114 Muting Back-ward Step 1
Muting backward sequence is active. MutingSwitch11 is the firstactuated exit switch. Monitoring of DiscTime11_12 is started.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8414 Muting Back-ward Step 2
Muting backward sequence is active. MutingSwitch12 is the firstactuated exit switch. Monitoring of DiscTime11_12 is started.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
8112 Muting Back-ward Active2
Muting backward sequence is still active. Both exit switchesMutingSwitch11 and 12 are actuated, the monitoring of Dis-cTime11_12 is stopped.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 275
4.6.4.14 SF_MutingPar_2Sensor
Standards RequirementsIEC 61496-1:2004 A.7 Muting
A.7.1.2 There shall be at least two independent hard-wired muting signal sources to initiatethe function. It shall not be possible to initiate muting when the OSSDs are already in theOFF-state.A.7.1.3 The mute function shall only be initiated by the correct sequence and/or timing of themuting signals. Should conflicting muting signals occur, the ESPE shall not allow a mutedcondition to occur.A.7.1.4 There shall be at least two independent hard-wired muting signal sources to stop thefunction. The muting function shall stop when the first of these muting signals changes state.The deactivation of the muting function shall not rely only on the clearance of the ESPE.A.7.1.5 The muting signals should be continuously present during muting. When the signalsare not continuously present, an incorrect sequence and/or the expiration of a pre-set timelimit shall cause either a lock-out condition or a restart interlock.A.7.4 Indication: A mute status signal or indicator shall be provided (in some applications, anindication signal of muting is necessary)
IEC62046/Ed. 1:2005
5.5.1: ... an indicator to show when the muting function is active can be necessary.The muting function shall be initiated and terminated automatically ... Incorrect signals,sequence or timing of the muting sensors or signals shall not allow a mute condition. It shallnot be possible to initiate the muting function when:● the protective equipment OSSDs are in the OFF-state;● the protective equipment is in the lock-out condition;● initiation of the muting function by two or more independent muting sensors such that a
single fault cannot cause a muted condition;● termination of the muting function by two or more independent muting sensors such that
deactivation of one sensor will terminate the muting function;● use of timing and sequence control of the muting sensors to ensure correct muting
operation.5.5.3: The following measures shall be considered ...● limiting muting to a fixed time that is only sufficient for the material to pass through the
detection zone. When this time is exceeded, the muting function should be canceled andall hazardous movements stopped.
Annex F.7 Two sensors - Crossed beams (refer also to Fig. F.7.2 and F.7.3 in the standard)The muting function should only be initiated when the two beams are activated within a timelimit of 4 sec. The muting function should be terminated as soon as one of the two beams ofthe muting sensors is no longer activated. A monitored timer that limits the muting functionto the minimum practicable time is required.Annex F.5: Methods to avoid manipulation of the muting function: ... use a muting enablecommand generated by the control system of the machine that will only enable the mutingfunction when needed by the machine cycle.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US276
Muting is the intended suppression of the safety function. In this FB, parallel muting with twomuting sensors is specified.Muting is the intended suppression of the safety function. This is required, e.g., when trans-porting the material into the danger zone without causing the machine to stop. Muting istriggered by muting sensors. The use of two muting sensors and correct integration into theproduction sequence must ensure that no persons enter the danger zone while the light curtainis muted. Muting sensors can be push buttons, proximity switches, photoelectric barriers, limitswitches, etc. which do not have to be fail-safe. Active muting mode must be indicated byindicator lights.There are sequential and parallel muting procedures. In this FB, parallel muting with two mutingsensors was used; an explanation is provided below. The positioning of the sensors should beas described in Annex F.7 of IEC 62046, 2005 Ä “Example for SF_MutingPar_2Sensor withtwo reflecting light barriers” on page 279. The FB can be used in both directions, forward andbackward. However, the actual direction cannot be identified. The muting should be enabledwith the MutingEnable signal by the process control to avoid manipulation.The FB input parameters include the signals of the two muting sensors (S_MutingSwitch11and S_MutingSwitch12), the OSSD signal from the AOPD device (S_AOPD_In) as well as twoparameterizable times (DiscTimeEntry and MaxMutingTime).The S_StartReset input shall only be activated if it is ensured that no hazardous situation canoccur when the PES is started.
Table 57: FB name: SF_MutingPar_2SensorName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AOPD_In BOOL FALSE Variable.OSSD signal from AOPD.FALSE: Protection field interrupted.TRUE: Protection field not interrupted.
S_MutingSwitch11 BOOL FALSE Variable.Status of Muting sensor 11.FALSE: Muting sensor 11 not actuated.TRUE: Workpiece actuates muting sensor 11.
S_MutingSwitch12 BOOL FALSE Variable.Status of Muting sensor 12.FALSE: Muting sensor 12 not actuated.TRUE: Workpiece actuates muting sensor 12.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 277
Name Data type Initial value Description, parameter valuesS_MutingLamp BOOL FALSE Variable or constant.
Indicates operation of the muting lamp.FALSE: Muting lamp failure.TRUE: No muting lamp failure.
MutingEnable BOOL FALSE Variable or constant.Command by the control system that enables thestart of the muting function when needed by themachine cycle. After the start of the muting function,this signal can be switched off.FALSE: Muting not enabledTRUE: Start of Muting function enabled
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
DiscTimeEntry TIME T#0s Constant 0..4 s;Max. discrepancy time for S_MutingSwitch11 andS_MutingSwitch12 entering muting gate
MaxMutingTime TIME T#0s Constant 0..10 min;Maximum time for complete muting sequence, timerstarted when first muting sensor is actuated.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_AOPD_Out BOOL FALSE Safety related output, indicates status of the mutedguard.FALSE: AOPD protection field interrupted and mutingnot active.TRUE: AOPD protection field not interrupted ormuting active.
S_MutingActive BOOL FALSE Indicates status of Muting process.FALSE: Muting not active.TRUE: Muting active.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Note: Line control of muting sensor signals must be active in the safety loop.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US278
Transmitter
Receiver
Dangerzone
MS_11
MS_12
Fig. 111: Example for SF_MutingPar_2Sensor
If reflection light barriers are used as muting sensors, they are generally arranged diagonally.In general, this arrangement of reflection light barriers as muting sensors requires only two lightbarriers, and only S_MutingSwitch11 (MS_11) and S_MutingSwitch12 (MS_12) are allocated.
Muting condition 1 (to state 8011) (MS_11 is the first actuated entry switch). Start timer DiscTi-meEntry and MaxMutingTime:MutingEnable AND R_TRIG at MS_11 AND NOT MS_12Muting condition 2 (to state 8311) (MS_12 is the first actuated entry switch). Start timer DiscTi-meEntry and MaxMutingTime:MutingEnable AND NOT MS_11 AND R_TRIG at MS_12Muting condition 3 (from state 8011 to state 8012) (MS_12 is the second actuated entry switch):Stop timer DiscTimeEntry:MutingEnable AND MS_11 AND R_TRIG at MS_12Muting condition 4 (from state 8311 to state 8012) (MS_11 is the second actuated entry switch):Stop timer DiscTimeEntry:MutingEnable AND R_TRIG at MS_11 AND MS_12Muting condition 5 (from state 8000 to state 8012) (both switches actuated in same cycle): StartTimer MaxMutingTime:MutingEnable AND R_TRIG at MS_11 AND R_TRIG at MS_12Muting condition 6 (from state 8012 to state 8000) (both switches released in same cycle orMS_11 and MS_12 released consecutively). Stop timer MaxMutingTime: NOT MS_11 OR NOTMS_12
State 8000 - (R_TRIG at MS_11 AND MS_12 AND NOT R_TRIG at MS_12) OR(R_TRIG at MS_12 AND MS_11 AND NOT R_TRIG at MS_11) OR((MS_11 AND NOT R_TRIG at MS_11) AND (MS_12 AND NOT R_TRIG atMS_12)) OR(NOT MutingEnable AND R_TRIG at MS_11) OR(NOT MutingEnable AND R_TRIG at MS_12)
State 8011 - NOT MutingEnable OR NOT MS_11State 8311 - NOT MutingEnable OR NOT MS_12State 8012 - all possible transitions allowed
Example forSF_MutingPar_2Sensor with tworeflecting lightbarriers
Muting condi-tions
Wrong mutingsequences
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 279
Fig. 112: Timing diagram for SF_MutingPar_2Sensor (S_StartReset = TRUE, Reset = FALSE,S_MutingLamp = TRUE)
The FB detects the following error conditions:● DiscTimeEntry has been set to value less than T#0s or greater than T#4s.● MaxMutingTime has been set to a value less than T#0s or greater than T#10min.● The discrepancy time for the S_MutingSwitch11/S_MutingSwitch12 sensor pair has been
exceeded.● The muting function (S_MutingActive = TRUE) exceeds the maximum muting time
MaxMutingTime.● Muting sensors S_MutingSwitch11, S_MutingSwitch12 are activated in the wrong order.● Muting sequence starts without being enabled by MutingEnable.● Static muting sensor signals.● A faulty muting lamp is indicated by S_MutingLamp = FALSE.● A static Reset condition is detected in state 8001 and 8003.
In the event of an error, the S_AOPD_Out and S_MutingActive outputs are set to FALSE. TheDiagCode output indicates the relevant error code and the Error output is set to TRUE.A restart is inhibited until the error conditions are cleared and the safe state is acknowledgedwith Reset by the operator.
Table 58: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Static Reset condition detected after FB activation in state 8001.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C002 Reset Error2
Static Reset condition detected in state 8003.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
Typical timingdiagram
Error behavior
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US280
DiagCode State name State description and output settingC003 Error Muting
LampError detected in muting lamp.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
CYx4 Error Mutingsequence
Error detected in muting sequence state 8000, 8011, 8311.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUEY = Status in the sequenceC0x4 = Error occurred in state 8000C1x4 = Error occurred in state 8011C2x4 = Error occurred in state 8311CFx4 = Muting enable missingx = Status of the sensors when error occurred (4 bits: LSB =MS_11; next to LSB = MS_12).
C005 ParameterError
DiscTimeEntry or MaxMutingTime value out of range.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C006 Error timerMaxMuting
Timing error: Active muting time (when S_MutingActive = TRUE)exceeds MaxMutingTime.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
C007 Error timerEntry
Timing error: Discrepancy time for switching S_MutingSwitch11and S_MutingSwitch12 from FALSE to TRUE > DiscTimeEntry.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = TRUE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 281
Table 59: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8000 AOPD Free Muting not active and no safety demand from AOPD. If timersfrom subsequent muting are still running, they are stopped.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
8001 Init Function block was activated.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8002 SafetyDemandAOPD
Safety demand detected by AOPD, muting not active.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8003 Wait forReset
Safety demand or errors have been detected and are nowcleared. Operator acknowledgment by Reset required.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8005 Safe Safety function activated.Ready = TRUES_AOPD_Out = FALSES_MutingActive = FALSEError = FALSE
8011 Muting Start1
Muting sequence is in starting phase after rising trigger ofS_MutingSwitch11. Monitoring of DiscTimeEntry is activated.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US282
DiagCode State name State description and output setting8311 Muting Start
2Muting sequence is in starting phase after rising trigger ofS_MutingSwitch12. Monitoring of DiscTimeEntry is activated.Ready = TRUES_AOPD_Out = TRUES_MutingActive = FALSEError = FALSE
8012 MutingActive
Muting sequence is active either:- After rising trigger of the second S_MutingSwitch 12 or 11 hasbeen detected.- When both S_MutingSwitch 11 and 12 have been actuated inthe same cycle.Monitoring of DiscTimeEntry is stopped. Monitoring ofMaxMutingTime is activated.Ready = TRUES_AOPD_Out = TRUES_MutingActive = TRUEError = FALSE
4.6.4.15 SF_EnableSwitch
Standards RequirementsIEC 60204-1,Ed. 5.0:2003
9.2.6.3: Enabling control (refer also to 10.9 below) is a manually activated control functioninterlock that:● when activated allows a machine operation to be initiated by a separate start control,
and● when deactivated - initiates a stop function, and - prevents initiation of machine opera-
tion.Enabling control shall be so arranged as to minimize the possibility of defeating, forexample, by requiring the deactivation of the enabling control device before machine opera-tion may be reinitiated. It should not be possible to defeat the enabling function by simplemeans.10.9: When an enabling control device is provided as a part of a system, it shall signal theenabling control to allow operation when actuated in one position only. In any other position,operation shall be stopped or prevented.Enabling control devices shall be selected that have the following features: ...● for a three-position type:
– position 1: off-function of the switch (actuator is not operated);– position 2: enabling function (actuator is operated in its mid position);– position 3: off-function (actuator is operated past its mid position);
● when returning from position 3 to position 2, the enabling function is not activated.
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 283
The SF_EnableSwitch FB evaluates the signals of an enable switch with three positions.The SF_EnableSwitch FB supports the suspension of safeguarding (EN 60204 Section 9.2.4)using enable switches (EN 60204 Section 9.2.5.8), if the relevant operating mode is selectedand active. The relevant operating mode (limitation of the speed or the power of motion, limita-tion of the range of motion) must be selected outside the SF_EnableSwitch FB.The SF_EnableSwitch FB evaluates the signals of an enable switch with three positions(EN 60204 Section 9.2.5.8).The S_EnableSwitchCh1 and S_EnableSwitchCh2 input parameters process the followingsignal levels of contacts E1 to E4:
Fig. 113: Switch positions
The signal from E1+E2 must be connected to the S_EnableSwitchCh1 parameter. The signalfrom E3+E4 must be connected to the S_EnableSwitchCh2 parameter. The position of theenable switch is detected in the FB using this signal sequence.The transition from position 2 to 3 can be different from shown here.The switching direction (position 1 => position 2/position 3 => position 2) can be detected inthe FB using the defined signal sequence of the enable switch contacts. The suspension ofsafeguarding can only be enabled by the FB after a move from position 1 to position 2. Otherswitching directions or positions may not be used to enable the suspension of safeguarding.This measure meets the requirements of EN 60204 Section 9.2.5.8.In order to meet the requirements of EN 60204 Section 9.2.4, the user shall use a suitableswitching device. In addition, the user must ensure that the relevant operating mode (EN 60204Section 9.2.3) is selected in the application (automatic operation must be disabled in thisoperating mode using appropriate measures).The operating mode is usually specified using an operating mode selection switch in conjunc-tion with SF_ModeSelector FB and SF_SafeRequest or SF_SafelyLimitedSpeed FB.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US284
The SF_EnableSwitch FB processes the confirmation of the "safe mode" state via the "S_Safe-tyActive" parameter. On implementation in an application of the safe mode without confirmation,a static TRUE signal is connected to the "S_SafetyActive" parameter.The S_AutoReset input shall only be activated if it is ensured that no hazardous situation canoccur when the PES is started.
Table 60: FB name: SF_EnableSwitchName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_SafetyActive BOOL FALSE Variable or constant.Confirmation of the safe mode (limitation of thespeed or the power of motion, limitation of the rangeof motion).FALSE: Safe mode is not active.TRUE: Safe mode is active.
S_Enable-SwitchCh1
BOOL FALSE Variable.Signal of contacts E1 and E2 of the connectedenable switch.FALSE: Connected switches are open.TRUE: Connected switches are closed.
S_Enable-SwitchCh2
BOOL FALSE Variable.Signal of contacts E3 and E4 of the connectedenable switch.FALSE: Connected switches are open.TRUE: Connected switches are closed.
S_AutoReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_EnableSwitchOut BOOL FALSE Safety related output: Indicates suspension of guard.FALSE: Disable suspension of safeguarding.TRUE: Enable suspension of safeguarding.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 285
Fig. 114: Timing diagram for SF_EnableSwitch: S_AutoReset = FALSE
Fig. 115: Timing diagram for SF_EnableSwitch: S_AutoReset = TRUE
The following conditions force a transition to the error state:● Invalid static Reset signal in the process.● Invalid switch positions.
In the event of an error, the S_EnableSwitchOut safe output is set to FALSE and remains in thissafe state.
Typical timingdiagrams
Error behavior
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US286
Different from other FBs, a reset error state can be left by the condition Reset = FALSE or,additionally, when the signal S_SafetyActive is FALSE.Once the error has been removed, the enable switch must be in the initial position specified inthe process before the S_EnableSwitchOut output can be set to TRUE using the enable switch.If S_AutoReset = FALSE, a rising trigger is required at Reset.
Table 61: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Static Reset signal detected in state C020.Ready = TRUES_EnableSwitchOut = FALSEError = TRUE
C002 Reset Error2
Static Reset signal detected in state C040.Ready = TRUES_EnableSwitchOut = FALSEError = TRUE
C010 OperationError 1
Enable switch not in position 1 during activation of S_SafetyAc-tive.Ready = TRUES_EnableSwitchOut = FALSEError = TRUE
C020 OperationError 2
Enable switch in position 1 after C010.Ready = TRUES_EnableSwitchOut = FALSEError = TRUE
C030 OperationError 3
Enable switch in position 2 after position 3.Ready = TRUES_EnableSwitchOut = FALSEError = TRUE
C040 OperationError 4
Enable switch not in position 2 after C030.Ready = TRUES_EnableSwitchOut = FALSEError = TRUE
Function block-specific errorand statuscodes
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 287
Table 62: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_EnableSwitchOut = FALSEError = FALSE
8004 Basic Opera-tion Mode
Safe operation mode is not active.Ready = TRUES_EnableSwitchOut = FALSEError = FALSE
8005 Safe Opera-tion Mode
Safe operation mode is active.Ready = TRUES_EnableSwitchOut = FALSEError = FALSE
8006 Position 1 Safe operation mode is active and the enable switch is in position1.Ready = TRUES_EnableSwitchOut = FALSEError = FALSE
8007 Position 3 Safe operation mode is active and the enable switch is in position3.Ready = TRUES_EnableSwitchOut = FALSEError = FALSE
8000 Position 2 Safe operation mode is active and the enable switch is in position2.Ready = TRUES_EnableSwitchOut = TRUEError = FALSE
4.6.4.16 SF_SafetyRequest
Standards RequirementsIEC 60204-1,Ed. 5.0:2003
9.2.4 Suspension of safety functions and/or protective measuresWhere it is necessary to suspend safety functions and/or protective measures (for example,for setting or maintenance purposes), protection shall be ensured by:● disabling all other operating (control) modes; and● other relevant means (refer to 4.11.9 of ISO 12100-2:2003), that can include, for
example, one or more of the following:– limitation of the speed or the power of motion– limitation of the range of motion
EN 954-1:1996 5.4 Manual reset
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US288
The function block represents the interface between the user program and system environment.
Fig. 116: Example of SF_SafetyRequest
This function block provides the interface to a generic actuator, e.g. a safety drive or safetyvalve, to place the actuator in a safe state.This FB provides the interface between the safety-related system and a generic actuator. Thismeans that the safety-related functions of the actuator are available within the applicationprogram. However, there are only two binary signals to control the safe state of the genericactuator, i.e., one for requesting and one for receiving the confirmation.The safety function will be provided by the actuator itself. Therefore the FB only initiates therequest, monitors it, and sets the output when the actuator acknowledges the safe state. Thiswill be indicated with the S_SafetyActive output.This FB does not define any generic actuator-specific parameters. They should have beenspecified in the generic actuator itself. It switches the generic actuator from the operation modeto a safe state.
Table 63: FB name: SF_SafetyRequestName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_OpMode BOOL FALSE Variable.Requested mode of a generic safe actuator.FALSE: Safe mode is requested.TRUE: Operation mode is requested.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 289
Name Data type Initial value Description, parameter valuesS_Acknowledge BOOL FALSE Variable.
Confirmation of the generic actuator, if actuator is inthe Safe state.FALSE: Operation mode (non-safe).TRUE: Safe mode.
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
MonitoringTime TIME T#0s Constant.Monitoring of the response time between the safetyfunction request (S_OpMode set to FALSE) and theactuator acknowledgment (S_Acknowledge switchesto TRUE).
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_SafetyActive BOOL FALSE Confirmation of the safe state.FALSE: Non-safe state.TRUE: Safe state.
S_SafetyRequest BOOL FALSE Request to place the actuator in a safe state.FALSE: Safe state is requested.TRUE: Non-safe state.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Fig. 117: Timing diagram for SF_SafetyRequest
The FB detects whether the actuator does not enter the safe state within the monitoring time.The FB detects whether the acknowledge signal is lost while the request is still active.
Typical timingdiagram
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US290
The FB detects a static Reset signal.External FB errors: There are no external errors, since there is no error bits/information providedby the generic actuator.
In the event of an error, the S_SafetyActive output is set to FALSE.An error must be acknowledged by a rising trigger at the Reset input. To continue the functionblock after this reset, the S_OpMode request must be set to TRUE.
Table 64: FB-specific error codesDiagCode State name State description and output settingC002 Acknowl-
edge LostAcknowledgment lost while in the safe state.Ready = TRUES_SafetyActive = FALSES_SafetyRequest = FALSEError = TRUE
C003 Monitoring-TimeElapsed
S_OpMode request could not be completed within the monitoringtime.Ready = TRUES_SafetyActive = FALSES_SafetyRequest = FALSEError = TRUE
C004 Reset Error2
Static Reset detected in state C002 (Acknowledge Lost).Ready = TRUES_SafetyActive = FALSES_SafetyRequest = FALSEError = TRUE
C005 Reset Error3
Static Reset detected in state C003 (MonitoringTime elapsed).Ready = TRUES_SafetyActive = FALSES_SafetyRequest = FALSEError = TRUE
Error behavior
Function block-specific errorand statuscodes
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 291
Table 65: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_SafetyActive = FALSES_SafetyRequest = FALSEError = FALSE
8000 Safe Mode Actuator is in a safe mode.Ready = TRUES_SafetyActive = TRUES_SafetyRequest = FALSEError = FALSE
8001 Init State after Activate is set to TRUE or after a rising trigger atReset.Ready = TRUES_SafetyActive = FALSES_SafetyRequest = FALSEError = FALSE
8002 OperationMode
Operation mode without Acknowledge of safe modeReady = TRUES_SafetyActive = FALSES_SafetyRequest = TRUEError = FALSE
8012 Wait for Con-firmationOpMode
Operation mode with Acknowledge of safe modeReady = TRUES_SafetyActive = FALSES_SafetyRequest = TRUEError = FALSE
8003 Wait for Con-firmation
Waiting for confirmation from the drive (system interface).Ready = TRUES_SafetyActive = FALSES_SafetyRequest = FALSEError = FALSE
8005 Wait forOpMode
Error was cleared. However S_OpMode must be set to TRUEbefore the FB can be initialized.Ready = TRUES_SafetyActive = FALSES_SafetyRequest = FALSEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US292
4.6.4.17 SF_OutControl
Standards RequirementsIEC 60204-1,Ed. 5.0:2003
9.2.2: Stop functions: Stop function categories; Category 0 - stopping by immediate removalof power to the machine actuators (i.e. an uncontrolled stop ...)9.2.5.2: Start: The start of an operation shall be possible only when all of the relevant safetyfunctions and/or protective measures are in place and are operational except for conditionsas described in 9.2.4. Suitable interlocks shall be provided to secure correct sequentialstarting.
EN 954-1:1996 5.2: Stop function; stop initiated by protective devices shall put the machine in a safe state ...and shall have priority over a stop for operational reasons.5.5: Start and restart; automatic restart only if a hazardous situation cannot exist.5.11: Fluctuations in energy levels; in case of loss of energy supply, provide or initiateoutputs to maintain a safe state.
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
EN 954-1:1996 5.4 Manual reset
Control of a safety output with a signal from the functional application and a safety signal withoptional startup inhibits.The SF_OutControl FB is an output driver for a safety output.The safety output is controlled via S_OutControl using a signal from the functional application(ProcessControl to control the process) and a signal from the safety application (S_SafeControlto control the safety function).Optional conditions for process control (ProcessControl):● An additional function start (ProcessControl FALSE => TRUE) is required following block
activation or feedback of the safe signal (S_SafeControl). A static TRUE signal at Process-Control does not set S_OutControl to TRUE.
● An additional function start (ProcessControl FALSE => TRUE) is not required followingblock activation or feedback of the safe signal (S_SafeControl). A static TRUE signal atProcessControl sets S_OutControl to TRUE if the other conditions have been met.
Optional startup inhibits:● Startup inhibit after function block activation.● Startup inhibit after interruption of the protective device.The StaticControl, S_StartReset and S_AutoReset inputs shall only be activated if it is ensuredthat no hazardous situation can occur when the PES is started.
Table 66: FB name: SF_OutControlName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 293
Name Data type Initial value Description, parameter valuesS_SafeControl BOOL FALSE Variable.
Control signal of the preceding safety FB.Typical function block signals from the library (e.g.,SF_EStop, SF_GuardMonitoring, SF_TwoHandCon-trolTypeII, and/or others).FALSE: The preceding safety FBs are in safe state.TRUE: The preceding safety FBs enable safety con-trol.
ProcessControl BOOL FALSE Variable or constant.Control signal from the functional application.FALSE: Request to set S_OutControl to FALSE.TRUE: Request to set S_OutControl to TRUE.
StaticControl BOOL FALSE Constant.Optional conditions for process control.FALSE: Dynamic change at ProcessControl (FALSE=> TRUE) required after block activation or triggeredsafety function. Additional function start required.TRUE: No dynamic change at ProcessControl(FALSE => TRUE) required after block activation ortriggered safety function.
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_AutoReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_OutControl BOOL FALSE Controls connected actuators.FALSE: Disable connected actuators.TRUE: Enable connected actuators.
Error BOOL FALSE Ä Table 17 “General output parameters”on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US294
Fig. 118: Timing diagram for SF_OutControl: S_StartReset = FALSE
Typical timingdiagrams
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 295
Fig. 119: Timing diagram for SF_OutControl: S_StartReset = TRUE
The following conditions force a transition to the Error state:● Invalid static Reset signal in the process.● Invalid static ProcessControl signal.● ProcessControl and Reset are incorrectly interconnected due to programming error.
In the event of an error, the S_OutControl output is set to FALSE and remains in this safe state.To leave the Reset, Init or Lock error states, the Reset input must be set to FALSE. To leave thecontrol error state, the ProcessControl input must be set to FALSE.After transition of S_SafeControl to TRUE, the optional startup inhibit can be reset by a risingedge at the Reset input.After block activation, the optional startup inhibit can be reset by a rising edge at the Resetinput.
Error behavior
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US296
Table 67: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Static Reset signal in state 8001.Ready = TRUES_OutControl = FALSEError = TRUE
C002 Reset Error2
Static Reset signal in state 8003.Ready = TRUES_OutControl = FALSEError = TRUE
C010 Control Error Static signal at ProcessControl in state 8010.Ready = TRUES_OutControl = FALSEError = TRUE
C111 Init Error Simultaneous rising trigger at Reset and ProcessControl in state8001.Ready = TRUES_OutControl = FALSEError = TRUE
C211 Lock Error Simultaneous rising trigger at Reset and ProcessControl in state8003.Ready = TRUES_OutControl = FALSEError = TRUE
Table 68: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_OutControl = FALSEError = FALSE
8001 Init Block activation startup inhibit is active. Reset required.Ready = TRUES_OutControl = FALSEError = FALSE
8002 Safe Triggered safety function.Ready = TRUES_OutControl = FALSEError = FALSE
Function block-specific errorand statuscodes
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 297
DiagCode State name State description and output setting8003 Lock Safety function startup inhibit is active. Reset required.
Ready = TRUES_OutControl = FALSEError = FALSE
8010 Output Dis-able
Process control is not active.Ready = TRUES_OutControl = FALSEError = FALSE
8000 OutputEnable
Process control is active and safety is enabled.Ready = TRUES_OutControl = TRUEError = FALSE
4.6.4.18 SF_EDM
Standards RequirementsIEC 60204-1, Ed.5.0:2003
Section 9.2.2: Stop function categories; Category 0
EN 954-1:1996 5.2: Stop function; stop initiated by protective devices shall put the machine in a safe state6.2: Specification of categories: Fault detection (of the actuator, e.g. open circuits)
ISO 12100-2:2003 4.11.4: Restart following power failure/spontaneous restart
EN 954-1:1996 5.4 Manual reset
External device monitoring (EDM): The FB controls a safety output and monitors controlledactuators, e.g. subsequent contactors.The SF_EDM FB controls a safety output and monitors controlled actuators.This function block monitors the initial state of the actuators via the feedback signals (S_EDM1and S_EDM2) before the actuators are enabled by the FB.The function block monitors the switching state of the actuators (MonitoringTime) after theactuators have been enabled by the FB.Two single feedback signals must be used for an exact diagnosis of the connected actuators.A common feedback signal from the two connected actuators must be used for a restrictedyet simple diagnostic function of the connected actuators. When doing so, the user must con-nect this common signal to both parameter S_EDM1 and parameter S_EDM2. S_EDM1 andS_EDM2 are then controlled by the same signal.
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US298
The switching devices used in the safety function should be selected from the category speci-fied in the risk analysis (EN 954-1).Optional startup inhibits:● Startup inhibit in the event of block activation.The S_StartReset input shall only be activated if it is ensured that no hazardous situation canoccur when the PES is started.
Table 69: FB name: SF_EDMName Data type Initial value Description, parameter valuesVAR_INPUTActivate BOOL FALSE Ä Table 16 “General input parameters” on page 203
S_OutControl BOOL FALSE Variable.Control signal of the preceding safety FBs.Typical function block signals from the library (e.g.,SF_OutControl, SF_TwoHandControlTypeII, and/orothers).FALSE: Disable safety output (S_EDM_Out).TRUE: Enable safety output (S_EDM_Out).
S_EDM1 BOOL FALSE Variable.Feedback signal of the first connected actuator.FALSE: Switching state of the first connectedactuator.TRUE: Initial state of the first connected actuator.
S_EDM2 BOOL FALSE Variable.Feedback signal of the second connected actuator.If using only one signal in the application, theuser must use a graphic connection to jumper theS_EDM1 and S_EDM2 parameters. S_EDM1 andS_EDM2 are then controlled by the same signal.FALSE: Switching state of the second connectedactuator.TRUE: Initial state of the second connected actuator.
S_StartReset BOOL FALSE Ä Table 16 “General input parameters” on page 203
Reset BOOL FALSE Ä Table 16 “General input parameters” on page 203
MonitoringTime TIME #0ms Constant.Max. response time of the connected and monitoredactuators.
VAR_OUTPUTReady BOOL FALSE Ä Table 17 “General output parameters”
on page 204
S_EDM_Out BOOL FALSE Controls the actuator. The result is monitored by thefeedback signal S_EDMx.FALSE: Disable connected actuators.TRUE: Enable connected actuators.
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 299
Name Data type Initial value Description, parameter valuesError BOOL FALSE Ä Table 17 “General output parameters”
on page 204
DiagCode WORD 16#0000 Ä Table 17 “General output parameters”on page 204
Fig. 120: Timing diagrams for SF_EDM: S_StartReset = FALSE
Typical timingdiagrams
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US300
Fig. 121: Timing diagrams for SF_EDM: S_StartReset = TRUE
The following conditions force a transition to the error state:● Invalid static Reset signal in the process.● Invalid EDM signal in the process.● S_OutControl and Reset are incorrectly interconnected due to programming error.
In error states, the outputs are as follows:● In the event of an error, the S_EDM_Out is set to FALSE and remains in this safe state.● An EDM error message must always be reset by a rising trigger at Reset.● A Reset error message can be reset by setting Reset to FALSE.After block activation, the optional startup inhibit can be reset by a rising edge at the Resetinput.
Error behavior
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 301
Table 70: FB-specific error codesDiagCode State name State description and output settingC001 Reset Error
1Static Reset signal in state 8001.Ready = TRUES_EDM_Out = FALSEError = TRUE
C011 Reset Error21
Static Reset signal or same signals at EDM1 and Reset (risingtrigger at Reset and EDM1 at the same time) in state C010.Ready = TRUES_EDM_Out = FALSEError = TRUE
C021 Reset Error22
Static Reset signal or same signals at EDM2 and Reset (risingtrigger at Reset and EDM2 at the same time) in state C020.Ready = TRUES_EDM_Out = FALSEError = TRUE
C031 Reset Error23
Static Reset signal or same signals at EDM1, EDM2, and Reset(rising trigger at Reset, EDM1, and EDM2 at the same time) instate C030.Ready = TRUES_EDM_Out = FALSEError = TRUE
C041 Reset Error31
Static Reset signal or same signals at EDM1 and Reset (risingtrigger at Reset and EDM1 at the same time) in state C040.Ready = TRUES_EDM_Out = FALSEError = TRUE
C051 Reset Error32
Static Reset signal or same signals at EDM2 and Reset (risingtrigger at Reset and EDM2 at the same time) in state C050.Ready = TRUES_EDM_Out = FALSEError = TRUE
C061 Reset Error33
Static Reset signal or same signals at EDM1, EDM2, and Reset(rising trigger at Reset, EDM1, and EDM2 at the same time) instate C060.Ready = TRUES_EDM_Out = FALSEError = TRUE
C071 Reset Error41
Static Reset signal in state C070.Ready = TRUES_EDM_Out = FALSEError = TRUE
Function block-specific errorand statuscodes
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US302
DiagCode State name State description and output settingC081 Reset Error
42Static Reset signal in state C080.Ready = TRUES_EDM_Out = FALSEError = TRUE
C091 Reset Error43
Static Reset signal in state C090.Ready = TRUES_EDM_Out = FALSEError = TRUE
C010 EDM Error11
The signal at EDM1 is not valid in the initial actuator state. Instate 8010 the EDM1 signal is FALSE when enabling S_OutCon-trol.Ready = TRUES_EDM_Out = FALSEError = TRUE
C020 EDM Error12
The signal at EDM2 is not valid in the initial actuator state. Instate 8010 the EDM2 signal is FALSE when enabling S_OutCon-trol.Ready = TRUES_EDM_Out = FALSEError = TRUE
C030 EDM Error13
The signals at EDM1 and EDM2 are not valid in the initial actuatorstates. In state 8010, the EDM1 and EDM2 signals are FALSEwhen enabling S_OutControl.Ready = TRUES_EDM_Out = FALSEError = TRUE
C040 EDM Error21
The signal at EDM1 is not valid in the initial actuator state. Instate 8010, the EDM1 signal is FALSE and the monitoring timehas elapsed.Ready = TRUES_EDM_Out = FALSEError = TRUE
C050 EDM Error22
The signal at EDM2 is not valid in the initial actuator state. Instate 8010, the EDM2 signal is FALSE and the monitoring timehas elapsed.Ready = TRUES_EDM_Out = FALSEError = TRUE
C060 EDM Error23
The signals at EDM1 and EDM2 are not valid in the initial actuatorstates. In state 8010, the EDM1 and EDM2 signals are FALSEand the monitoring time has elapsed.Ready = TRUES_EDM_Out = FALSEError = TRUE
Configuration and programming
AC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/04 3ADR025091M0210, 14, en_US 303
DiagCode State name State description and output settingC070 EDM Error
31The signal at EDM1 is not valid in the actuator switching state.In state 8000, the EDM1 signal is TRUE and the monitoring timehas elapsed.Ready = TRUES_EDM_Out = FALSEError = TRUE
C080 EDM Error32
The signal at EDM2 is not valid in the actuator switching state.In state 8000, the EDM2 signal is TRUE and the monitoring timehas elapsed.Ready = TRUES_EDM_Out = FALSEError = TRUE
C090 EDM Error33
The signals at EDM1 and EDM2 are not valid in the actuatorswitching state. In state 8000, the EDM1 and EDM2 signals areTRUE and the monitoring time has elapsed.Ready = TRUES_EDM_Out = FALSEError = TRUE
C111 Init Error Similar signals at S_OutControl and Reset (R_TRIG at samecycle) detected (may be a programming error).Ready = TRUES_EDM_Out = FALSEError = TRUE
Table 71: FB-specific status codes (no error):DiagCode State name State description and output setting0000 Idle The function block is not active (initial state).
Ready = FALSES_EDM_Out = FALSEError = FALSE
8001 Init Block activation startup inhibit is active. Reset required.Ready = TRUES_EDM_Out = FALSEError = FALSE
8010 Output Dis-able
EDM control is not active. Timer starts when state is entered.Ready = TRUES_EDM_Out = FALSEError = FALSE
8000 OutputEnable
EDM control is active. Timer starts when state is entered.Ready = TRUES_EDM_Out = TRUEError = FALSE
Configuration and programmingAC500-S libraries > SafetyBlocks_PLCopen_AC500_v22.lib
2022/02/043ADR025091M0210, 14, en_US304
4.6.5 SafetyDeviceExt_LV100_PROFIsafe_AC500_V27.libThis library includes a PROFIsafe F-Device stack implementation (PROFISAFEDEVICESTACKPOU), which is a main F-Device component.
Table 72: FB name: PROFISAFEDEVICESTACKName Data type Initial value Description, parameter valuesVAR_INPUTDevice_Fault_DS BOOL FALSE Failure in device.
This parameter allows the application to inform theF-Host about a malfunction. If Device_Fault_DS isset, the master stack sets FV_activated = 1 in thecontrol byte.
FV_activated_DS BOOL FALSE Fail-safe values activated.It allows the application to inform the F-Host that ituses fail-safe values.It is set internally by the PROFIsafe device stackwhen SM560-S-FD-1 / SM560-S-FD-4 is in DEBUGSTOP state.
pIODesc POINTER NULL Internal input parameter. (Internal use only!)VAR_OUTPUTSTATE PROFIsafe_STA
TE_ENUMPROFIsafe_STATE_ INIT
This parameter returns the current state of thePROFIsafe device stack. For example, the user canfind out why the currently transmitted F-Parameterset was not accepted Ä Table 73 “PROFIsafe F-Device states” on page 307.
FV_STATE BOOL TRUE If TRUE, this parameter indicates that the devicestack is delivering fail-safe value "0" to the F-Hostprogram for every input value. Otherwise, processvalues are delivered.
F_Source_Add WORD 0 This parameter represents the F-Source address thatwas transferred from the F-Host to this F-Device viathe F-Parameters.
F_Dest_Add WORD 0 This parameter specifies the F-Destination address,which shall match the switch address setting ofSM560-S-FD-1 / SM560-S-FD-4 and the formula forthe F-Destination addresses Ä Table 9 “F-Parame-ters of AC500-S safety modules” on page 143.
Configuration and programming
AC500-S libraries > SafetyDeviceExt_LV100_PROFIsafe_AC500_V27.lib
2022/02/04 3ADR025091M0210, 14, en_US 305
Name Data type Initial value Description, parameter valuesactivate_FV_DC BOOL FALSE This parameter is for debugging purposes only.
If TRUE, this parameter indicates to the F-Devicethat FV shall be used.
OA_Req_DC BOOL FALSE This parameter is for debugging purposes only.If TRUE, the F-Host requests an operator acknowl-edgment for the F-Device from the F-Host safetyapplication. In the event of an error (watchdogtimeout or CRC, etc.) the fail-safe values are acti-vated. If the error is no longer present (the commu-nication with the module was re-established) andan operator acknowledgment is possible, the F-Hostdriver sets OA_Req_S = TRUE. If the F-Host appli-cation sets OA_C = TRUE, OA_Req_S is reset toFALSE and normal operation is resumed.
NOTICE!Since the F-Device instances do not support iParameters, the function blockhas no possibility to set the bit iPar_OK_S in status byte or read the bitiPar_EN_C from the PROFIsafe control byte.
The PROFIsafe F-Device instances start asynchronously after power-up. F-Parameters arewritten to the PROFINET IO device (CM589-PNIO or CM589-PNIO-4) by the correspondingF-Host / PROFINET IO controller. F-Parameters are then transferred via the non-safety CPU tothe SM560-S-FD-1 / SM560-S-FD-4, which can use them to parameterize F-Device instance.If parameterization is repeated, F-Device instances are to be re-initialized at runtime. F-Param-eters are only transferred by AC500 communication modules and non-safety CPU and areprotected against transmission errors by the F_Par_CRC.The F-Source address of an F-Device instance is set at runtime by the F-Host using theF_Source_Add parameter in F-Parameters. On SM560-S-FD-1 / SM560-S-FD-4, in addition tothe normal tests of the F-Device stack, it is checked that the F-Source address of an F-Deviceinstance does not overlap with the F-Source addresses of the own F-Host. If there is an overlap,the error is set for the newly parameterized F-Device instance.As soon as the F-Device instance is configured, it continues to check that the F-Sourceaddresses reported by the F-Host are valid. If not, the error is set and the boot project is notloaded.The F-Device stack can report the following errors to the F-Host via the status byte:● Device_Fault: malfunction in the device. This error can be triggered from the application
using the Device_Fault_DS flag on the PROFISAFEDEVICESTACK FB.● CE_CRC (communication error): CRC error or wrong consecutive number. This error is
automatically triggered by the stack.● WD_timeout (watchdog timeout): No valid PROFIsafe telegram received within the
F_WD_Time. This error is automatically triggered by the stack.● FV_activated_S (fail-safe values are activated): Indicates to the F-Host that FV are used. It
can also be set by the FV_activated_DS flag from the F-Device application.The F-Host can also detect communication errors (watchdog timeout, CRC error or incorrectconsecutive number). The application behind the corresponding F-Device can be informedabout these errors via the activate_FV_DC flag = TRUE of the PROFISAFEDEVICESTACKinstance and can react accordingly.The application can use the output variable "STATE" to obtain information about the currentstatus of the F-Device instance.
Configuration and programmingAC500-S libraries > SafetyDeviceExt_LV100_PROFIsafe_AC500_V27.lib
2022/02/043ADR025091M0210, 14, en_US306
PROFIsafe_STATE_INIT
PROFIsafe_STATE_DATAEX
PROFIsafe_STATE_DATAEX_*2
PROFIsafe_STATE_PARAM
T2T1
T2
T1
T3
T4
T1T2
T1
T4
T1 T2*1=FPAR_F_DEST_ADD_MISMATCHFPAR_F_DEST_ADD_NOT_VALIDFPAR_F_SRC_ADD_NOT_VALIDFPAR_WD_TIME_NULLFPAR_F_SIL_ERRFPAR_CRC_LENGTHFPAR_VERSION_ERRFPAR_CRC1_ERR
*2=F_OUTPUT_OKF_OUTPUT_OLD_CONSNRF_OUTPUT_PASSIVATEDF_OUTPUT_COM_ERRF_OUTPUT_WD_TIMEOUT
T2
PROFIsafe_STATE_INIT_*1
Fig. 122: PROFIsafe F-Device state diagram
T1 Good F-Parameters receivedT2 Bad F-Parameters receivedT3 F-Host limit not reachedT4 Message processedThe state transitions T1 and T2 are executed immediately when new F-Parameters have beentransferred for the F-Device instance. If the F-Source address limit for the SM560-S-FD-1 (max.1 F-Source address) / SM560-S-FD-4 (max. 4 different F-Source addresses) is not yet reached,transition T3 switches immediately. If the F-Source address limit has been reached, activeF-Device instances (PROFIsafe_STATE_DATAEX states) of an F-Host must be stopped by T1or T2 transition.The following table describes the meaning of each state:
Table 73: PROFIsafe F-Device statesValue of STATE output on PROFIsafe F-Device stackinstance
Meaning
PROFIsafe_STATE_INIT Status after initialization of F-Device instances.
PROFIsafe_STATE_FPAR_F_DEST_ADD_MISMATCH Parameterization error: F-Destination address does notcorrespond to the given value based on rotary addressswitch value on SM560-S-FD-1 / SM560-S-FD-4 safetyCPU.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 28
PROFIsafe_STATE_FPAR_F_DEST_ADD_NOT_VALID Parameterization error: F-Destination address invalid.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 1
Configuration and programming
AC500-S libraries > SafetyDeviceExt_LV100_PROFIsafe_AC500_V27.lib
2022/02/04 3ADR025091M0210, 14, en_US 307
Value of STATE output on PROFIsafe F-Device stackinstance
Meaning
PROFIsafe_STATE_FPAR_F_SRC_ADD_NOT_VALID Parameterization error: F-Source address is invalidor overlapping with F-Source addresses of F-Hostinstances.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 2
PROFIsafe_STATE_FPAR_WD_TIME_NULL Parameterization error: Watchdog time set to zero.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 11
PROFIsafe_STATE_FPAR_F_SIL_ERR Parameterization error: Requested SIL is too high.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 10
PROFIsafe_STATE_FPAR_CRC_LENGTH Parameterization error: Required CRC length does notfit to the data length.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 42
PROFIsafe_STATE_FPAR_VERSION_ERR Parameterization error: PROFIsafe version error.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 40
PROFIsafe_STATE_FPAR_CRC1_ERR Parameterization error: CRC error in F-Parameters.Refer also to diagnosis Ä Table 108 “Specific errormessages for SM560-S-FD-1 / SM560-S-FD-4 safetyCPUs ” on page 387Module 28, Error 19
PROFIsafe_STATE_PARAM F-Host limitation error: F-Parameters accepted, butthe F-Device does not exchange data because of theF-Host limitation.No diagnosis message is available. If required, custom-ized AC500 diagnosis message shall be generated.
PROFIsafe_STATE_DATAEX F-Parameters are accepted, F-Device instance canexchange process data.
PROFIsafe_STATE_DATAEX_F_OUTPUT_OK The PROFIsafe output telegram for F-Host is valid.
PROFIsafe_STATE_DATAEX_F_OUTPUT_OLD_CONSNR
The PROFIsafe output telegram for F-Host is valid withan old consecutive number.
PROFIsafe_STATE_DATAEX_F_OUTPUT_PASSIVATED
Communication error was detected or the F-Host sends"activate_FV" in PROFIsafe control byte.If required, customized AC500 diagnosis message shallbe generated from the application (ifPROFIsafe_STATE_DATAEX_F_OUTPUT_PASSIVATED is detected onSTATE output of F-Device stack instance).
Configuration and programmingAC500-S libraries > SafetyDeviceExt_LV100_PROFIsafe_AC500_V27.lib
2022/02/043ADR025091M0210, 14, en_US308
Value of STATE output on PROFIsafe F-Device stackinstance
Meaning
PROFIsafe_STATE_DATAEX_F_OUTPUT_COM_ERR PROFIsafe error: CRC error in PROFIsafe output tele-gram is detected.If required, customized AC500 diagnosis mes-sage shall be generated from the application (ifPROFIsafe_STATE_DATAEX_F_OUTPUT_COM_ERRis detected on STATE output of F-Device stackinstance).
PROFIsafe_STATE_DATAEX_F_OUTPUT_WD_TIMEOUT
PROFIsafe error: Watchdog timeout detected.If required, customized AC500 diagnosis message shallbe generated from the application (ifPROFIsafe_STATE_DATAEX_F_OUTPUT_WD_TIMEOUT isdetected on STATE output of F-Device stack instance).
4.6.6 SafetyExt2_LV110_AC500_V27.libSafetyExt2_LV110_AC500_V27.lib library includes the following POUs:System commands● SF_SAFE_STOP (Triggering of the SAFE STOP on the safety CPU)
System information● SF_MAX_POWER_DIP_GET_CFG (Getting the configured number of restarts after power
dip in the safety CPU)● SF_BOOTPROJECT_CRC (Getting boot project CRC)Specific functions for user-defined CRC calculation● SF_CRC_INIT (Initialization of CRC calculation tables for a user-defined CRC polynomial)● SF_CRC_INPUT (Start of CRC calculation for a data block)● SF_CRC_FINISH (Return of the CRC value and re-initialization for the next CRC calcula-
tion)
4.6.6.1 SF_SAFE_STOPThe function SF_SAFE_STOP allows the user setting the safety CPU directly into the SAFESTOP state.
Table 74: FB name: SF_SAFE_STOPName Data type Initial value Description, parameter valuesVAR_INPUTDUMP_INFO DWORD 16#00000000 The value DUMP_INFO is written to the core dump
so that the user can find out together with the ABBsupport team at which point in his safety applicationthe SAFE STOP state was triggered.
Configuration and programming
AC500-S libraries > SafetyExt2_LV110_AC500_V27.lib
2022/02/04 3ADR025091M0210, 14, en_US 309
Name Data type Initial value Description, parameter valuesVAR_OUTPUTSF_SAFE_STOP BOOL FALSE The output is not used and only available because
functions must be defined with a return value. Theapplication will not be able to evaluate the output asthe safety CPU switches to the safe state.
SF_SAFE_STOP(DUMP_INFO:=16#B5006BB1);
4.6.6.2 SF_MAX_POWER_DIP_GET_CFGThe SF_MAX_POWER_DIP_GET_CFG function returns the configured maximum power dipvalue of the safety CPU Ä Chapter 4.6.7.2 “SF_MAX_POWER_DIP_SET” on page 317Ä Chapter 4.6.7.6 “SF_MAX_POWER_DIP_GET” on page 321.
Table 75: FB name: SF_MAX_POWER_DIP_GET_CFGName Data type Initial value Description, parameter valuesVAR_OUTPUTSF_MAX_POWER_DIP_GET_CFG
WORD 16#0000 Configured maximum number of tolerated power dips(undervoltage/overvoltage faults).
MAX_POWER_DIPS_CFG := SF_MAX_POWER_DIP_GET_CFG();
4.6.6.3 SF_BOOTPROJECT_CRCThe SF_BOOTPROJECT_CRC function returns the CRC of the boot project which was in theflash memory when the safety CPU was started (it corresponds to the boot project CRC which isdisplayed in AC500-S Programming Tool under the menu item “Online è Check bootproject inPLC”).
Table 76: FB name: SF_BOOTPROJECT_CRCName Data type Initial value Description, parameter valuesVAR_OUTPUTSF_BOOTPRO-JECT_CRC
DWORD 16#00000000 CRC of the boot project in flash memory when thesafety CPU was started.
Call in ST
Call in ST
Configuration and programmingAC500-S libraries > SafetyExt2_LV110_AC500_V27.lib
2022/02/043ADR025091M0210, 14, en_US310
BOOTPROJECT_CRC := SF_BOOTPROJECT_CRC();
4.6.6.4 Specific functions for user-defined CRC calculationSF_CRC_INIT, SF_CRC_INPUT and SF_CRC_FINISH functions offer a CRC calculation fora user-defined data block by a user-defined CRC polynomial, e.g., FSoE (Functional Safetyover EtherCAT) or CRC8. The user-defined data and calculated CRC can be used both forsending the user-defined data with calculated CRC and receiving the user-defined data withthe CRC (the calculated CRC is then used for comparison with the received CRC value) ifacyclic non-safe data exchange or cyclic non-safe data exchange is used on the safety CPU foruser-defined safety communications (contact ABB technical support for more details).Ä Appendix B.5 “Data exchange between safety CPU and AC500 V2 non-safety CPU”on page 393Ä Appendix C.5 “Data exchange between safety CPU and AC500 V3 non-safety CPU”on page 409
The CRC calculation tables exist on only one of the two microprocessors of the safety CPUto implement 1oo2 safety architecture for safety telegram handling. The same mechanism isused for PROFIsafe communication. This mechanism allows reaching SIL 3 (IEC 61508 andIEC 62061) and PL e (ISO 13849-1) safety integrity level for data exchange using acyclicnon-safe data exchange or cyclic non-safe data exchange.To give the user the possibility to serve several safety communications, like FSoE, with differentCRC polynomials (if needed), up to 8 different CRC operations for safety communications canbe managed in parallel (each identified via function input CRC_SLOT).
Three phases have to be implemented in the safety application for user-defined CRC calculationusing the provided functions.1. For operating a user-defined CRC calculation, the user has to configure it. If more than
one user-defined safety communication is planned to be used in the safety application,call SF_CRC_INIT once for each of planned safety communications to initialize their CRCcalculations.
ð Call of SF_CRC_INIT builds up the CRC calculation table for a user-defined CRC pol-ynomial (given via input POLYNOM) with its CRC length (input BITS) for the selectedsafety communication (identified via CRC_SLOT input).Only one initialization of a selected CRC slot is allowed. After initialization, a re-initiali-zation leads to an error Ä Chapter 4.6.6.4.1 “SF_CRC_INIT” on page 312.
2. Further configuration settings have to be done via additional FB inputs.
Call SF_CRC_INPUT to calculate a CRC value over a user data block (previously con-figured with SF_CRC_INIT) for the selected safety communication (identified via inputCRC_SLOT).You have to call SF_CRC_INPUT for each safety communication separately with thecorrect CRC_SLOT input value.
ð The calculation is done in one CPU processing cycle (large data amount can lead toprolongation of CPU cycle time) Ä Chapter 4.6.6.4.2 “SF_CRC_INPUT” on page 313.
1. Call SF_CRC_FINISH to get the calculated CRC value for the selected safety communica-tion (identified via CRC_SLOT input).You have to call SF_CRC_FINISH for each safety communication separately with thecorrect CRC_SLOT input value.
ð The function returns the calculated CRC value which has been previously calculatedwith SF_CRC_INPUT and prepares the next CRC calculation cycle.
Call in ST
Phase 1: CRCinitialization
Phase 2: CRCcalculation
Phase 3:Finalize the CRCcalculation
Configuration and programming
AC500-S libraries > SafetyExt2_LV110_AC500_V27.lib
2022/02/04 3ADR025091M0210, 14, en_US 311
2. In case of the receiving direction of the safety communication, the calculated value whichis returned from SF_CRC_FINISH has to be validated against the received CRC valueÄ Chapter 4.6.6.4.3 “SF_CRC_FINISH” on page 315.
NOTICE!Usage of these functions requires detailed knowledge on the handling of CRCprotected data in safety communication protocols. Furthermore, it is essentialto call the functions in a correct manner, because not all error scenarios areexplicitly detectable. To give more information on how to implement the applica-tion program, some implementation guidelines are given Ä Chapter 4.6.6.4.4“Application guidelines” on page 315.
DANGER!The user application must not include the CRC data in the data block whencalculating the CRC value for the received data block. It is needed to preventthat the CRC result of "0" is always calculated, which would lead to unexpectedCRC calculation result of "0". It is mandatory to validate the calculated CRCfrom SF_CRC_FINISH against the received CRC value.
4.6.6.4.1 SF_CRC_INITThe SF_CRC_INIT function initializes the CRC calculation table and does further settings for theused safety communication CRC calculation identified via input CRC_SLOT.This function shall only be called once per safety communication and related CRC slot because:● Internal tables are created for optimized runtime calculation which needs processing time.● Further calls (after successful configuration) return FALSE and re-configuration is rejected
because the former successful initialization remains unchanged, as designed.The function SF_CRC_INIT must be called for each used safety communication identified viaCRC_SLOT input.
Table 77: FB name: SF_CRC_INITName Data type Initial value Description, parameter valuesVAR_INPUTCRC_SLOT BYTE 0 Identifies the CRC for the given safety communica-
tion with related CRC slot value for which the CRCinitialization is configured.Allowed values: 0..7
BITS BYTE 0 Defines the CRC bit size to be used (depending ondegree of the used polynomial).Allowed values: 1 … 32
Configuration and programmingAC500-S libraries > SafetyExt2_LV110_AC500_V27.lib
2022/02/043ADR025091M0210, 14, en_US312
Name Data type Initial value Description, parameter valuesSTART_VALUE DWORD 16#00000000 Defines the start value for CRC calculation. It
depends on the safety communication protocol speci-fication.All values are allowed.
POLYNOM DWORD 16#00000000 CRC polynomial (represented by the hexadecimalvalue of the given CRC equation).All values except 0 are allowed. 0 value leads toSAFE STOP of the safety CPU if SF_CRC_FINISHfunction is called afterwards.
REFLECT_IN BOOL FALSE Defines if input data shall be rotated bitwise or not.FALSE: No bitwise rotationTRUE: Bitwise rotation
REFLECT_OUT BOOL FALSE Defines if CRC value shall be rotated bitwise or notFALSE: No bitwise rotationTRUE: Bitwise rotation
XOR_OUT DWORD 16#00000000 Defines the operand for bitwise XOR operation withthe CRC value, which is later delivered at the outputusing SF_CRC_FINISH function.All values are allowed.
VAR_OUTPUTSF_CRC_INIT BOOL TRUE Result of CRC calculation initialization for safety
communication and related CRC slot.TRUE: CRC calculation initialization is successful.FALSE: Error in CRC calculation initialization.Possible reasons:● CRC_SLOT invalid (> 7)● BITS invalid (not in range 1 … 32)● CRC_SLOT already successfully initialized.
SF_CRC_INIT_Slot1 := SF_CRC_INIT(CRC_SLOT1, BITS_SLOT1, START_VALUE_SLOT1, POLYNOM_SLOT1, REFLECT_IN_SLOT1, REFLECT_OUT_SLOT1, XOR_OUT_SLOT1);
4.6.6.4.2 SF_CRC_INPUTThe SF_CRC_INPUT function performs the CRC calculation over a given user-defined datablock (addressed via pointer at DATA input) with a given length (via LENGTH input) for thegiven safety communication identified via input CRC_SLOT. The CRC calculation is done onone microprocessor (1oo2 safety architecture is used on AC500-S safety CPU) only, but theCRC calculation result is available on both safety CPU microprocessors.
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt2_LV110_AC500_V27.lib
2022/02/04 3ADR025091M0210, 14, en_US 313
Two options are possible for the CRC calculation:● Calculation in one processing cycle:
This means the calculation is done by setting DATA input to the data buffer base addressand setting LENGTH input to the complete data buffer size.
● Sequenced calculation:This means the calculation is split in multiple processing cycles. This could be required forspecific reasons of the safety communication protocol. The sequence is started by settingDATA input to the data buffer base address and setting LENGTH input to a partial databuffer size (the first part of the complete buffer). The next sequence is done by setting DATAinput to [data buffer base address + length in the previous sequence] and setting LENGTHinput to the next partial data buffer size (and so on). As a result, the CRC calculation can besequenced in byte-by-byte steps. It is important to call SF_CRC_FINISH function only onceafter the complete CRC calculation sequence is executed over the complete data block.
Table 78: FB name: SF_CRC_INPUTName Data type Initial value Description, parameter valuesVAR_INPUTCRC_SLOT BYTE 0 Identifies the CRC slot of the safety communication
for which CRC calculation is performed.Allowed values: 0...7
DATA DWORD 16#00000000 Memory start address as pointer (via ADR operator)of the data block for which the CRC is calculated.Allowed values: Must be inside the user memoryspace (in combination with LENGTH input)
LENGTH WORD 16#0000 Length of data block (based on DATA input) for whichthe CRC is calculated.Allowed values: Must be inside the user memoryspace (in combination with DATA input)
VAR_OUTPUTSF_CRC_INPUT BOOL false Result of SF_CRC_INPUT function.
TRUE: CRC calculation successful.FALSE: Error in CRC calculation, possible reasons:● CRC_SLOT invalid (> 7)● CRC polynomial invalid (“0”)● DATA and/or LENGTH invalid (data buffer is out-
side the allowed user memory space)● Selected CRC_SLOT not initialized successfully.
SF_CRC_INPUT_Slot1 := SF_CRC_INPUT(CRC_SLOT1, ADR(DATA_SLOT1), LENGTH_SLOT1);
Configuration and programmingAC500-S libraries > SafetyExt2_LV110_AC500_V27.lib
2022/02/043ADR025091M0210, 14, en_US314
4.6.6.4.3 SF_CRC_FINISHThe SF_CRC_FINISH function returns the calculated CRC value and re-initializes the CRCcalculation for selected safety communication, identified via input CRC_SLOT.
NOTICE!SF_CRC_FINISH shall only be called once after CRC calculation is done withSF_CRC_INPUT, and before starting a new CRC calculation cycle.If SF_CRC_FINISH is not called (after actual CRC calculation and before nextCRC calculation):– The new calculated CRC value is not available in the safety application.– The required re-initialization for the next CRC calculation cycle is missing
which will provide an unexpected result during next SF_CRC_INPUT func-tion call.
If SF_CRC_FINISH is called more than once (after actual CRC calculation andbefore next CRC calculation) only the first call returns the valid calculated CRCvalue. Following calls will return invalid CRC values.
Table 79: FB name: SF_CRC_FINISHName Data type Initial value Description, parameter valuesVAR_INPUTCRC_SLOT BYTE 0 Identifies the CRC slot of the safety communication
for which CRC value is returned.Allowed values: 0...7
VAR_OUTPUTSF_CRC_FINISH DWORD 16#00000000 CRC calculation result
NOTICE!Under the following error conditions, SF_CRC_FINISH initiates a SAFE STOPto protect from unrecoverable error situations, possibly caused by an erroneousapplication (not indicatable by the function return value, since the calculatedCRC value does not have any value restrictions).– CRC_SLOT invalid (>7)– CRC_SLOT configured with CRC polynomial “0”– CRC_SLOT not configured at all or not configured successfully
SF_CRC_FINISH_Slot1 := SF_CRC_FINISH(CRC_SLOT1);
4.6.6.4.4 Application guidelinesWe recommend to follow the guidelines to prevent the risk of getting invalid CRC values orunwanted SAFE STOP of the safety CPU.
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt2_LV110_AC500_V27.lib
2022/02/04 3ADR025091M0210, 14, en_US 315
● Analyze the safety communication protocol specification you want to realize. Define theconfiguration values which are needed to configure your CRC functionality. It affects all inputvalues of SF_CRC_INIT function.
● Make sure that you call SF_CRC_INIT only once and with a polynomial unequal to 0.Only if SF_CRC_INIT returns TRUE, allow subsequent calls of SF_CRC_INPUT andSF_CRC_FINSH.
● Make sure that you call SF_CRC_INPUT/SF_CRC_FINISH with correct CRC_SLOT input.● Make sure that you call SF_CRC_INPUT within the allowed safety application memory
space, e.g., by using ADR and SIZEOF functions.● Make sure that you call SF_CRC_FINISH exactly one time after completion of the CRC
calculation for the given user data block, and before the next CRC calculation cycle.● Make sure that you always exclude the received CRC value from the CRC calculation, and
validate the received CRC value against the calculated CRC value from SF_CRC_FINISHoutput. In the case of mismatch, reject the received data. Only accept data with successfulCRC validation.
4.6.7 SafetyExt_AC500_V22.libSafetyExt_AC500_V22.lib library includes the following POUs:● System commands
– SF_E_ERR_LED_SET (Setting E-ERR LED state (ON or OFF))– SF_MAX_POWER_DIP_SET (Setting the maximum number of restarts after power dip
in the safety CPU)– SF_WDOG_TIME_SET (Setting the maximum allowed cycle time of the safety CPU)– SF_APPL_MEASURE_BEGIN (This function defines the start point of time profiling)– SF_APPL_MEASURE_END (This function defines the end point of time profiling)
● System information– SF_MAX_POWER_DIP_GET (Getting the current number of restarts after power dip in
the safety CPU)– SF_SAFETY_MODE (Reading out if the safety CPU is in DEBUG or SAFETY mode)– SF_SM5XX_OWN_ADR (Getting the value of the hardware switch address on the
safety CPU)– SF_RTS_INFO (It provides the firmware version of the safety CPU. The version is a
binary coded decimal, e.g., 16#10 means version 1.0)● Data storage
– SF_FLASH_DEL (This function block deletes a data segment in the flash memory. Alldata in this data segment will be deleted.)
– SF_FLASH_READ (The function block reads a data set from a data segment of theflash memory and stores the read data set beginning at the start flag defined by thesafety CPU.)
– SF_FLASH_WRITE (The function block writes data to a data segment in the flashmemory.)
● Acyclic non-safe data exchange– SF_DPRAM_PM5XX_S_REC (Receiving data from non-safety CPU)– SF_DPRAM_PM5XX_S_SEND (Sending data to non-safety CPU)
NOTICE!For establishing an acyclic non-safe data exchange between safety and non-safety CPU, you have to use dedicated function blocks for the non-safety CPUÄ Appendix B.5.1 “Acyclic non-safe data exchange” on page 394 Ä AppendixC.5.1 “Acyclic non-safe data exchange” on page 410.
Preparationguideline
Implementationguideline
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US316
4.6.7.1 SF_E_ERR_LED_SET
Setting E-ERR LED state (ON = TRUE or OFF = FALSE)E-ERR LED is set directly in the same safety CPU cycle. The state remains unchanged until it isnot explicitly changed using SF_E_ERR_LED_SET call.
Table 80: FUN name: SF_E_ERR_LED_SETName Data type Initial value Description, parameter valuesVAR_INPUTSET BOOL FALSE FALSE = E-ERR LED is OFF, TRUE = E-ERR LED is
ON
VAR_OUTPUTSF_E_ERR_LED_SET
BOOL FALSE FALSE = E-ERR LED is OFF, TRUE = E-ERR LED isON
SF_E_ERR_LED_SET_Value := SF_E_ERR_LED_SET(SF_E_ERR_LED_SET_Set);
4.6.7.2 SF_MAX_POWER_DIP_SET
Setting the maximum number of power dips in SM560-S safety CPUThe SF_MAX_POWER_DIP_SET function block allows users to control the safety CPU restartbehaviour after power-off phases less than 1.5 s ("power dip") from power supply of non-safetyCPU. To avoid repeated power dip detection on the safety CPU, make sure that the power-offphase of the power cycle lasts for at least 1.5 s before the power-on is performed.To successfully restart the safety CPU in RUN (safety) mode after the power dip was detected,you have to follow the restart procedure. One or two power cycles may be required to preventan uncontrolled behavior after power dip.Without using FB SF_MAX_POWER_DIP_SET, two power cycles (or reboot command) have tobe performed after power dip.Alternatively, you can configure the restart control with the FB SF_MAX_POWER_DIP_SET.Define a number of tolerated power dips at input MAX_POWER_DIP_CNT. For the definednumber of power dips, restart with only one power cycle (or reboot command) is accepted.The number of occurred power dips is counted inside the safety CPU (current number is acces-sible via FB SF_MAX_POWER_DIP_GET Ä Chapter 4.6.7.6 “SF_MAX_POWER_DIP_GET”on page 321) and compared to the number available prior to the start of the safety appli-cation program (configured number is accessible via FB SF_MAX_POWER_DIP_GET_CFGÄ Chapter 4.6.6.2 “SF_MAX_POWER_DIP_GET_CFG” on page 310). As long as the countednumber is not higher than the configured number, only one power cycle (or reboot command) isneeded to restart the safety CPU. If the counted number gets higher than the configured value,two power cycles (or reboot commands) are necessary to restart the safety CPU. The currentcounter can be resetted by calling FB SF_MAX_POWER_DIP_SET again.
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 317
Only one function block instance must be used in the safety program, otherwise a warning isissued.
NOTICE!Each time SF_MAX_POWER_DIP_SET FB is called with EN transition fromFALSE to TRUE, the internal power dip counter value is reset, which meansthat power dip counter will be started from 0 now. Thus, it makes sense to callSF_MAX_POWER_DIP_SET FB in safety program only once with EN transitionfrom FALSE to TRUE as a one-time parameterization of power dip functionality.If you do not follow the recommendation above, each timeSF_MAX_POWER_DIP_SET FB is called with EN transition from FALSEto TRUE in the safety application program, the counter value forrestarts after power dip in the safety CPU, which can be read fromSF_MAX_POWER_DIP_GET FB, will be reset to '0'.
Table 81: FB name: SF_MAX_POWER_DIP_SETName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE The block is activated to store
MAX_POWER_DIP_CNT value in the flash memoryusing a transition of EN input from FALSE to TRUE.The block remains active and ignores any changeson EN input until DONE output is equal to TRUE.The MAX_POWER_DIP_CNT value can be stored inthe flash memory only if the transition on EN inputfrom FALSE to TRUE is triggered.
MAX_POWER_DIP_CNT
WORD 16#0000 Maximum number of tolerated safety CPU restartswith only one power cycle (or reboot command) afterpower dip errors.
VAR_OUTPUTDONE BOOL FALSE Output DONE indicates that the set process is fin-
ished (see also ERR output).
ERR BOOL FALSE If TRUE, then error occurred during the set process(saving of MAX_POWER_DIP_CNT value to theflash memory).
SF_MAX_POWER_DIP_SET (EN := SF_MAX_POWER_DIP_SET_EN,MAX_POWER_DIP_CNT := SF_MAX_POWER_DIP_SET_MAX_POWER_DIP_CNT,DONE => SF_MAX_POWER_DIP_SET_DONE, ERR => SF_MAX_POWER_DIP_SET_ERR);
4.6.7.3 SF_WDOG_TIME_SET
Setting the maximum allowed cycle time of the safety CPU
Call in ST
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US318
The SF_WDOG_TIME_SET function block allows the user to monitor the cycle time. The func-tion block must be called by the user during the first cycle. In order to update the outputsACT_TIME and MAX_TIME, it is necessary to call the function block in each cycle. If thefunction block is not available in the application, the safety CPU and the application programwill enter the SAFE STOP state after the first cycle. The watchdog time is monitored prior to theoutput of the PROFIsafe telegrams.If the cycle time is exceeded, an error message is an output and the safety CPU enters theSAFE STOP state. Reasonable values are longer than the typical safety CPU runtime and atleast two times shorter than the F_WD_Time of the safety I/O module.Only one function block instance must be used in the safety program, otherwise a warning isissued.
NOTICE!The cycle time supervision takes place only in RUN (safety) mode.
Table 82: FB name: SF_WDOG_TIME_SETName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE The function block is activated (EN = TRUE) or deac-
tivated (EN = FALSE) via input EN. If the block isactive, the current values are available at the out-puts.
WDOG DWORD 16#00000000 Watchdog time in ms. The maximum allowed valueis 1000. If WDOG is > 1000, then SAFE STOP statewill be entered by the safety CPU.
RESET BOOL FALSE TRUE sets MAX_TIME to 0.
VAR_OUTPUTDONE BOOL FALSE Output DONE indicates that the set process is fin-
ished.
ACT_TIME DWORD 16#00000000 Actual safety CPU cycle time in ms
MAX_TIME DWORD 16#00000000 Maximal monitored safety CPU cycle time in ms
SF_WDOG_TIME_SET (EN := SF_WDOG_TIME_SET_EN,WDOG := SF_WDOG_TIME_SET_WDOG,RESET := SF_WDOG_TIME_SET_RESET,DONE => SF_WDOG_TIME_SET_DONE,ACT_TIME => SF_WDOG_TIME_SET,MAX_TIME => SF_WDOG_TIME_SET_MAX_TIME);
4.6.7.4 SF_APPL_MEASURE_BEGIN
Defining the start point of time profiling
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 319
This function defines the start point of time profiling within safety application program and shallbe used together with SF_APPL_MEASURE_END function. The time profiling results can beseen only using "applinfo" PLC browser command and cannot be used within safety applicationprogram.The time between the calls of SF_APPL_MEASURE_BEGIN and SF_APPL_MEASURE_ENDfunctions in the safety application program is measured (including within one safety CPU cycle)and saved in the timer identified with the value set for input parameter TIMER.
NOTICE!SF_APPL_MEASURE_BEGIN function was developed for measuring short timeintervals only, which means that for time intervals of ~ 10 minutes and longer, itproduces invalid results.
Table 83: FUN name: SF_APPL_MEASURE_BEGINName Data type Initial value Description, parameter valuesVAR_INPUTTIMER BYTE 16#00 Timer identification. The allowed range is from 0 to
31.
RESET BOOL FALSE If TRUE, then MAX and MIN results of time profilingwill be deleted. Otherwise, the observed values arekept.
VAR_OUTPUTSF_APPL_MEASURE_BEGIN
BOOL FALSE Return value is TRUE if the TIMER value is withinthe allowed range (0 ... 31), otherwise the returnvalue is FALSE.
SF_APPL_MEASURE_BEGIN_VALUE := SF_APPL_MEASURE_BEGIN(SF_APPL_MEASURE_BEGIN_TIMER, SF_APPL_MEASURE_BEGIN_RESET);......SF_APPL_MEASURE_END_VALUE := SF_APPL_MEASURE_END(SF_APPL_MEASURE_END_TIMER);
4.6.7.5 SF_APPL_MEASURE_END
Defining the end point of time profilingThis function defines the end point of time profiling within safety application program and shallbe used together with SF_APPL_MEASURE_BEGIN function. The time profiling results can beseen only using "applinfo" PLC browser command and cannot be used within safety applicationprogram.The time between the calls of SF_APPL_MEASURE_BEGIN and SF_APPL_MEASURE_ENDfunctions in the safety application program is measured and saved in the timer identified withthe value set for input parameter TIMER.
Call in ST
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US320
NOTICE!SF_APPL_MEASURE_END function was developed for measuring short timeintervals only, which means that for time intervals of ~ 10 minutes and longer, itproduces invalid results.
Table 84: FUN name: SF_APPL_MEASURE_ENDName Data type Initial value Description, parameter valuesVAR_INPUTTIMER BYTE 16#00 Timer identification. The allowed range is from 0 to
31.
VAR_OUTPUTSF_APPL_MEASURE_END
BOOL FALSE Return value is TRUE if the TIMER value is withinthe allowed range (0 .. 31), otherwise the returnvalue is FALSE.
SF_APPL_MEASURE_BEGIN_VALUE := SF_APPL_MEASURE_BEGIN(SF_APPL_MEASURE_BEGIN_TIMER, SF_APPL_MEASURE_BEGIN_RESET);......SF_APPL_MEASURE_END_VALUE := SF_APPL_MEASURE_END(SF_APPL_MEASURE_END_TIMER);
4.6.7.6 SF_MAX_POWER_DIP_GET
Getting the current number of restarts after power dip in the safety CPU
Table 85: FUN name: SF_MAX_POWER_DIP_GETName Data type Initial value Description, parameter valuesVAR_OUTPUTSF_MAX_POWER_DIP_GET
WORD 16#0000 Actual value of power dip error counter.
SF_MAX_POWER_DIP_GET_Value := SF_MAX_POWER_DIP_GET();
Call in ST
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 321
4.6.7.7 SF_SAFETY_MODE
Reading out if the safety CPU is in DEBUG RUN (non-safety), DEBUG STOP (non-safety)or in RUN (safety) mode
Table 86: FUN name: SF_SAFETY_MODEName Data type Initial value Description, parameter valuesVAR_OUTPUTSF_SAFETY_MODE
BOOL FALSE Safety CPU mode:● FALSE: DEBUG RUN (non-safety) or
DEBUG STOP (non-safety) mode is active.● TRUE: RUN (safety) mode is active.
SF_SAFETY_MODE_Value := SF_SAFETY_MODE();
4.6.7.8 SF_SM5XX_OWN_ADR
Getting the value of the hardware switch address on the safety CPUOnly the value set during SM560-S safety CPU start-up is read. Further changes of the hard-ware switch address are ignored.
NOTICE!Despite the fact that SF_SM5XX_OWN_ADR function is a safety POU, thehardware switch address value is a non-safety value and needs additionalmeasures to satisfy functional safety requirements.
Table 87: FUN name: SF_SM5XX_OWN_ADRName Data type Initial value Description, parameter valuesVAR_OUTPUTSF_SM5XX_OWN_ADR
BYTE 16#00 Value of the hardware switch address on the safetyCPU set during its start-up.
SF_SM5XX_OWN_ADR_Value := SF_SM5XX_OWN_ADR();
Call in ST
Call in ST
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US322
4.6.7.9 SF_RTS_INFO
Display of the firmware version of the safety CPUThis function provides the firmware version of the safety CPU. The version is a binary codeddecimal, e.g., 16#10 means version 1.0.
Table 88: FUN name: SF_RTS_INFOName Data type Initial value Description, parameter valuesVAR_OUTPUTSF_RTS_INFO WORD 16#0000 Firmware version of the safety CPU.
The upper BYTE of the entry represents the mainversion; the lower BYTE represents the subversion ofthe runtime system.Example: RTS_VERSION = 16#0110 ➔ V01.1.0
SF_RTS_INFO_Value := SF_RTS_INFO();
4.6.7.10 SF_FLASH_READ
Reading of user data from the flash memoryThe function block reads a data set from a data segment in the flash memory and stores thisdata set beginning at the starting flag defined at input SM. The data contained in the data setwere previously stored to the flash memory using the SF_FLASH_WRITE function block.
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 323
NOTICE!Access to the flash memory is only possible using the function blocksSF_FLASH_WRITE, SF_FLASH_DEL and SF_FLASH_READ.NB blocks are read starting at block BNR within segment SEG and storedstarting at address SM.32 binary data or 16 word data or 8 double word data are read per block.One block contains 38 bytes:– 32 bytes of data– 4 bytes for CRC checksum– 1 byte as "written" identifier– 1 byte for alignmentÄ Table 90 “Structure of one of the flash memory segments with user data”on page 325
Reading a data set is triggered once by a FALSE/TRUE edge at input EN. Ifno error occurred while reading the data, output DONE is set to TRUE and theoutputs ERR and ERNO are set to FALSE. The data set is stored beginning atthe defined start flag SM.Storing the data set can take several CPU cycles.If an error occurs during reading, DONE and ERR are set to TRUE and datafrom SM are equal to 0. The error type is indicated at output ERNO.
NOTICE!This function block is activated by a positive edge of the input variable EN.During the cycle where the function block notices that the operation is finished(output DONE = TRUE) it will set the output variables only for one cycle. Whenthe function block is called again it will reset the output variables immediately.
Table 89: FB name: SF_FLASH_READName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE Activation of the FB using a positive edge
The following applies:● EN = FALSE/TRUE edge: Reading the data set is
carried out once.● EN = TRUE: The function block is not processed,
i.e. it does not change its outputs anymore.
NB WORD 16#0000 Number of data set blocks (decimal 1 ... 1724)Input NB is used to specify the number of blockscontained in the data set. 32 byte data or 16 worddata or 8 double word data are read per block.Valid values: 1 ... 1724Example:● SM = ADR(%MW0.0) and NB = 1: Data are
stored at %MW0.0 to %MW0.15 (1 block = 16word data)
● SM = ADR(%MW0.0) and NB = 2: Data arestored at %MW0.0 to %MW0.31 (2 blocks = 32word data)
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US324
Name Data type Initial value Description, parameter valuesSEG BYTE 16#00 ID number of the data segment (16#01 or 16#02)
BNR WORD 16#0000 Starting block number in the flash memory data seg-ment (decimal 0 ... 1723)
SM DWORD 16#00000000 Destination address for the read data set (address ofthe first variable where the data are placed)
VAR_OUTPUTDONE BOOL FALSE Reading procedure is completed (DONE = TRUE)
This output always has to be considered togetherwith output ERR.The following applies:● DONE = TRUE and ERR = FALSE: Reading
completed. The data set has been stored begin-ning at the defined input SM.
● DONE = TRUE and ERR = TRUE: An erroroccurred while reading the data set. OutputERNO indicates the error number.
ERR BOOL FALSE Error occurred (data segment could not be read)This output always has to be considered togetherwith output DONE. The following applies if an erroroccurred: DONE = TRUE and ERR = TRUE. OutputERNO indicates the error number.
ERNO WORD 16#0000 Error number Ä [3].Output ERNO indicates an error number. This outputalways has to be considered together with the out-puts DONE and ERR.The SF_FLASH_READ operation may take quite along time since the safety CPU user program is pro-cessed with higher priority. Output ERNO indicatesthat the function block has started the execution(0x0FFF = BUSY).During this phase, the outputs ERR and DONE areset to FALSE.
Table 90: Structure of one of the flash memory segments with user dataByte: 1 | 2 3 | 4 5 | 6 ... 29 | 30 31 | 32 33 ... 36 37 38Byteoffset
Blockno.
Word 1 Word 2 Word 3 ... Word 15 Word 16 CRC Writtenidenti-fier
Align-ment
0 0
38 1
76 2
... ...
65436 1722
65474 1723
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 325
READ_FLASH(EN := EN_FLASH_READ,NB := NB_FLASH_READ,SEG := SEG_FLASH_READ,BNR := BNR_FLASH_READ,SM := SM_FLASH_READ,DONE => DONE_FLASH_READ,ERR => ERR_FLASH_READ,ERNO => ERNO_FLASH_READ);
4.6.7.11 SF_FLASH_WRITE
Writing of user data to the flash memoryThe function block writes a data set to a data segment in the flash memory. For that purpose,two data segments are available in the safety CPU. The delete operation (function blockSF_FLASH_DEL) always deletes a data segment as a whole. One data segment consists of1724 blocks (0 ... 1723). Each block comprises 38 bytes. The maximum number of writingcycles to the flash memory is limited. Deleting data in the flash memory is also considered to bea "writing" cycle.After a delete operation, data can be written only once to each of these 1724 data segmentblocks. If a block containing data is to be overwritten with new data, the entire data segment hasto be deleted first. In doing so, all data in this segment will be lost.NB blocks are read starting at address SM and stored in segment SEG starting at block BNR.32 binary data or 16 word data or 8 double word data are read per block.One block contains 38 bytes:● 32 bytes of data● 4 bytes for CRC checksum● 1 byte as "written" identifier● 1 byte for alignmentÄ Table 90 “Structure of one of the flash memory segments with user data” on page 325
Once the write operation for a data set has been started (by a FALSE/TRUE edge at inputEN), the data contained in the data set must not be changed anymore until the write operationcompletes (DONE = TRUE). Storing the data set in the flash memory can take several safetyCPU cycles.With a FALSE/TRUE edge at input EN, the data set is written once. Input EN is not evaluatedagain until the storage procedure is finished (DONE = TRUE).After the write operation is finished, the function block outputs DONE, ERR and ERNO areupdated. Data storage was successful if DONE = TRUE and ERR = FALSE. If DONE = TRUEand ERR = TRUE, an error occurred. The error type is indicated at output ERNO.A new FALSE/TRUE edge at input EN starts a new write operation. Input BNR must point tothe next free block for the next write operation since no new data can be written to blocks thatalready contain data without a preceding deletion of the data segment.
Call in ST
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US326
NOTICE!This function block is activated by a positive edge of the input variable EN.During the cycle where the function block notices that the operation is finished(output DONE = TRUE) it will set the output variables only for one cycle. Whenthe function block is called again it will reset the output variables immediately.
Table 91: FB name: SF_FLASH_WRITEName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE Activation of the FB using a positive edge
The following applies:● EN = FALSE/TRUE edge: Reading the data set is
carried out once.● EN = TRUE: The function block is not processed,
i.e. it does not change its outputs anymore.
NB WORD 16#0000 Number of data set blocks (decimal 1 .. 1724)Input NB is used to specify the number of blockscontained in the data set. 32 byte data or 16 worddata or 8 double word data are read per block.Valid values: 1 ... 1724Example:- SM = ADR(%MW0.0) and NB = 1: Data are storedat %MW0.0 to %MW0.15 (1 block = 16 word data)- SM = ADR(%MW0.0) and NB = 2: Data are storedat %MW0.0 to %MW0.31 (2 blocks = 32 word data)
SEG BYTE 16#00 ID number of the data segment (16#01 or 16#02)
BNR WORD 16#0000 Starting block number in the flash memory data seg-ment (decimal 0 ... 1723)
SM DWORD 16#00000000 Source start address (address of the first variablefrom where the data will be written to the flashmemory)At input SM, the address of the first variable of thedata set is specified using an ADR operator. Oncethe write operation for a data set has been started(by a FALSE/TRUE edge at input EN), the data con-tained in the data set must not be changed anymoreuntil the write operation is finished (DONE = TRUE).
VAR_OUTPUTDONE BOOL FALSE Writing procedure is completed (DONE = TRUE)
This output always has to be considered togetherwith output ERR.The following applies:● DONE = TRUE and ERR = FALSE: Write opera-
tion completed. The data set has been stored inthe flash.
● DONE = TRUE and ERR = TRUE: An erroroccurred during the write operation. OutputERNO indicates the error number.
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 327
Name Data type Initial value Description, parameter valuesERR BOOL FALSE Error occurred (data segment could not be written)
Output ERR indicates whether an error occurredduring the write operation. This output always hasto be considered together with output DONE. Thefollowing applies if an error occurred: DONE = TRUEand ERR = TRUE. Output ERNO indicates the errornumber.
ERNO WORD 16#0000 Error number Ä [3]
Output ERNO indicates an error number. This outputalways has to be considered together with the out-puts DONE and ERR.The SF_FLASH_WRITE operation may take quitea long time since the safety PLC user program isprocessed with higher priority. Output ERNO thenindicates that the function block has started the exe-cution (0x0FFF = BUSY).During this phase, the outputs ERR and DONE areset to FALSE.
WRITE_FLASH(EN := EN_FLASH_WRITE,NB := NB_FLASH_WRITE,SEG := SEG_FLASH_WRITE,BNR := BNR_FLASH_WRITE,SM := SM_FLASH_WRITE,DONE => DONE_FLASH_WRITE,ERR => ERR_FLASH_WRITE,ERNO => ERNO_FLASH_WRITE);
4.6.7.12 SF_FLASH_DEL
Delete a selected segment from the flash memoryThis function block deletes a selected segment with user data from the flash memory.Input SEG defines the data segment within the flash memory. In the safety CPU, two segmentsnumbered 1 and 2 (each providing 64 kB incl. CRC, flag and alignment) are reserved for theuser. Deleting a data segment within the flash memory may take several PLC cycles.Deletion of the data segment is triggered once by a FALSE/TRUE edge at input EN. Input ENwill not be evaluated again until the delete operation is completed (DONE = TRUE).After the deletion procedure is finished, all function block outputs are updated. The deletion wassuccessful if DONE = TRUE and ERR = FALSE. If the outputs show DONE = TRUE and ERR =TRUE, the data segment could not be deleted.
Call in ST
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US328
NOTICE!This function block is activated by a positive edge of the input variable EN.During the cycle where the function block notices that the operation is finished(output DONE = TRUE) it will set the output variables only for one cycle. Whenthe function block is called again it will reset the output variables immediately.
Table 92: FB name: SF_FLASH_DELName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE Activation of the FB using a positive edge
Deletion of the data segment is started once. InputEN will not be evaluated again until the delete opera-tion is finished (DONE = TRUE).EN = TRUE:The function block is not processed, i.e. it does notchange its outputs anymore. This is not valid during adelete operation.
SEG BYTE 16#00 ID number of the data segment (16#01 or 16#02)
VAR_OUTPUTDONE BOOL FALSE Delete procedure is completed (DONE = TRUE)
Output DONE indicates that deletion of the data seg-ment is completed. This output always has to be con-sidered together with output ERR.The following applies:● DONE = TRUE and ERR = FALSE: Deletion
completed. The data segment has been deletedsuccessfully.
● DONE = TRUE and ERR = TRUE: An erroroccurred while deleting the data segment. Thedata segment could not be deleted successfully.
ERR BOOL FALSE Error occurred (data segment could not be deleted)Output ERR indicates whether an error occurredduring deletion. This output always has to be con-sidered together with output DONE. The followingapplies if the data segment could not be deleted:DONE = TRUE and ERR = TRUE. Output ERNOindicates the error number.
ERNO WORD 16#0000 Error number Ä [3].Output ERNO indicates an error number. This outputalways has to be considered together with the out-puts DONE and ERR.The SF_FLASH_DEL operation may take quite along time since the safety CPU user program is pro-cessed with higher priority. Output ERNO indicatesthat the function block has started the execution(0x0FFF = BUSY).During this phase, the outputs ERR and DONE areset to FALSE.
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 329
DEL_FLASH(EN := EN_FLASH_DEL,SEG := SEG_FLASH_DEL,DONE => DONE_FLASH_DEL,ERR => ERR_FLASH_DEL,ERNO => ERNO_FLASH_DEL);
4.6.7.13 SF_DPRAM_PM5XX_S_REC
Reading the data from non-safety CPU to safety application on safety CPU
DANGER!It is not recommended to transfer data values from non-safety CPU to safetyCPU. But if doing so, end-users have to define additional process-specificvalidation procedures in the safety program to check the correctness of thetransferred non-safety data, if they would like to use those non-safety values forsafety functions.It is of no concern to transfer data values from safety CPU to non-safety CPU,e.g., for diagnosis and later visualization on operator panels.
DANGER!If SF_DPRAM_PM5XX_S_REC function block is used to receive data fromthe non-safety CPU, then SIL 3 (IEC 61508 and IEC 62061) and PL e(ISO 13849-1) functional safety requirements will not be fulfilled for receiveddata (independently on application safety communication profile used), becauseonly one microprocessor (no 1oo2 safety architecture in the background) onsafety CPU handles the receiving direction.Contact ABB technical support on how to reach SIL 3 and PL e.
The SF_DPRAM_PM5XX_S_REC function block is used to receive data from the non-safetyCPU. This data is stored in the memory area (DATA, memory address for received data,provided via ADR operator). The function block is enabled by a TRUE signal at input EN. Itremains active until input EN is set to FALSE. Output DATA_LEN displays the length of thereceived data in bytes. DONE = TRUE and ERR = FALSE indicate successful data reception.If an error was detected during function block processing, the error is indicated at the outputsERR and ERNO.
NOTICE!Reception using the SF_DPRAM_SM5XX_S_REC function block is not edge-triggered. Therefore, input EN has to be continuously set to TRUE during datareception.
Call in ST
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US330
Table 93: FB name: SF_DPRAM_PM5XX_S_RECName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE Processing of this function block is controlled by
input EN. The function block is active if EN = TRUE.The reception of data is indicated by output DONE.
DATA DWORD 16#00000000 Input DATA is used to specify the address of thevariable to which the user data is to be copied to.The address specified at DATA has to belong to avariable of the type ARRAY or STRUCT.Set the variable size to the maximum expectedamount of data in order to avoid overlapping ofmemory areas.
VAR_OUTPUTDONE BOOL FALSE Output DONE indicates the reception of data. This
output always has to be considered together withoutput ERR.The following applies:● DONE = TRUE and ERR = FALSE: Reception
completed. A data set was received correctly.● DONE = TRUE and ERR = TRUE: An error
occurred during reception. The error number isindicated at output ERNO.
ERR BOOL FALSE Output ERR indicates whether an error occurredduring reception. This output always has to be con-sidered together with output DONE. The followingapplies if an error occurred during reception: DONE =TRUE and ERR = TRUE. Output ERNO indicates theerror number.
ERNO WORD 16#0000 Error number Ä [3].Output ERNO provides an error identifier if an invalidvalue has been applied to an input or if an erroroccurred during job processing. ERNO always hasto be considered together with the outputs DONEand ERR. The output value at ERNO is only valid ifDONE = TRUE and ERR = TRUE.
DATA_LEN DWORD 16#00000000 Output DATA_LEN displays the length of thereceived data in bytes (the maximum number is 84).The output value at DATA_LEN is only valid if DONE= TRUE.
PM5xxRec (EN := PM5xxRec_EN,DATA := ADR(PM5xxRec_DATA),DONE => PM5xxRec_DONE,ERR => PM5xxRec_ERR,ERNO => PM5xxRec_ERNO,DATA_LEN => PM5xxRec_DATA_LEN);
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 331
4.6.7.14 SF_DPRAM_PM5XX_S_SEND
Sending data from the safety CPU to non-safety CPUThe SF_DPRAM_PM5XX_S_SEND function block is used to send data to the non-safety CPU.The data to be sent is available in the memory area (DATA, memory address for data to betransmitted, provided via ADR operator). The function block is activated with a TRUE signal(FALSE/TRUE edge) at input EN. The length of the data to be transmitted is specified in bytesat input DATA_LEN. DONE = TRUE and ERR = FALSE indicate that the sending process wassuccessful. If an error was detected during function block processing, the error is indicated atthe outputs ERR and ERNO.
DANGER!If FB SF_DPRAM_PM5XX_S_SEND is used to send safety data from safetyCPU to non-safety CPU, then SIL 3 (IEC 61508 and IEC 62061) and PL e(ISO 13849-1) functional safety requirements will not be fulfilled for sent data(independently on application safety communication profile used), because onlyone microprocessor (no 1oo2 safety architecture in the background) on safetyCPU handles the sending direction.Contact ABB technical support on how to reach SIL 3 and PL e.
NOTICE!Sending data using the SF_DPRAM_PM5XX_S_SEND function block is edge-triggered, i.e. each sending process is initiated by a FALSE/TRUE edge at inputEN.
NOTICE!This function block is activated by a positive edge of the input variable EN.During the cycle where the function block notices that the operation is finished(output DONE = TRUE) it will set the output variables only for one cycle. Whenthe function block is called again it will reset the output variables immediately.
Table 94: FB name: SF_DPRAM_PM5XX_S_SENDName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE Enabling of function block processing.
Processing of this function block is controlled byinput EN. The data transfer is initiated by a FALSE/TRUE edge. The sending of data is indicated byoutput DONE.
Configuration and programmingAC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/043ADR025091M0210, 14, en_US332
Name Data type Initial value Description, parameter valuesDATA DWORD 16#00000000 Input DATA is used to specify the address of the vari-
able the user data are to be copied to. The addressspecified at DATA has to belong to a variable of thetype ARRAY or STRUCT.Set the variable size to the maximum expectedamount of data in order to avoid overlapping ofmemory areas.
DATA_LEN DWORD 16#00000000 The length of the data to be transmitted is specifiedin bytes at input DATA_LEN. The maximum numberis 84.
VAR_OUTPUTDONE BOOL FALSE Output DONE indicates the sending of data. This
output always has to be considered together withoutput ERR.The following applies:● DONE = TRUE and ERR = FALSE: Sending
completed. A data set was sent correctly.● DONE = TRUE and ERR = TRUE: An error
occurred during sending. The error number isindicated at output ERNO.
ERR BOOL FALSE Output ERR indicates whether an error occurredduring sending. This output always has to be con-sidered together with output DONE. The followingapplies if an error occurred during sending: DONE =TRUE and ERR = TRUE. Output ERNO indicates theerror number.
ERNO WORD 16#0000 Error number Ä [3].Output ERNO provides an error identifier if an invalidvalue has been applied to an input or if an erroroccurred during job processing. ERNO always hasto be considered together with the outputs DONEand ERR. The output value at ERNO is only valid ifDONE = TRUE and ERR = TRUE.
PM5xxSend (EN := PM5xxSend_EN,DATA := ADR(PM5xxSend_DATA),DATA_LEN := PM5xxSend_DATA_LEN,DONE => PM5xxSend_DONE,ERR => PM5xxSend_ERR,ERNO => PM5xxSend_ERNO);
Call in ST
Configuration and programming
AC500-S libraries > SafetyExt_AC500_V22.lib
2022/02/04 3ADR025091M0210, 14, en_US 333
—5 Safety times5.1 Overview
Errors in the system may lead to dangerous operating conditions. Potential errors are detectedby the safety module background self-tests, which trigger defined error reactions in safetymodules to transfer faulty modules into the safe state. In this chapter, we list various safetytimes for AC500-S safety modules and AC500-S safety PLC as a system.
5.2 Fault reaction timeFault reaction time is the maximum time between the appearance of the fault in the system andthe trigger of pre-defined error reactions. The table below provides an overview on the longestfault reaction times in AC500-S safety modules.
Table 95: Fault reaction times in AC500-S safety modulesModule Fault reaction time
Internal faults (e.g., RAM cell fault) External faults (e.g., wrong wiring)AC500-S safety CPUs < 24 h Not applicable
DI581-S safety I/O < 24 h < 1.9 s
DX581-S safety I/O < 24 h < 0.5 s
AI581-S safety I/O < 24 h < 0.8 s
Contact ABB technical support for more detailed fault reaction times, if needed.
5.3 Safety function response timeThe safety function response time (SFRT) is the time within which the AC500-S safety PLC inthe normal RUN mode must react after an error has occurred in the system.On the application side, SFRT is the maximum amount of time in which the safety system mustrespond to a change in input signals or module failures.SFRT is one of the most important safety times, because it is used in time-critical safetyapplications, like presses, to define a proper distance for a light curtain or other safety sensor toprotect people from potentially dangerous machine parts.
SFRT for PROFIsafe devices can be defined as, based on Ä [7]:Equation 1: SFRT = TWCDT + Longest ∆T_WD
where● TWCDT (total worst case delay time) is the maximal time for input signal transfer in
AC500-S system until the output reaction under worst-case conditions (all componentsrequire the maximum time).
● Longest ∆T_WD is the longest time difference between watchdog time for a given entity andworst case delay time. In safety context, to identify SFRT one has to take into account apotential single fault in one of the safety modules during the signal transfer. It is enough toconsider a single fault only Ä [7].
Safety timesSafety function response time
2022/02/043ADR025091M0210, 14, en_US334
Fig. 123, Fig. 124 and Fig. 125 explain SFRT in more details. The model in Fig. 123 andFig. 124 includes the stages of input signal reading, safe data transfer, safe logic processing,safe data transfer and safe signal output. The model in Fig. 125 presents safe CPU to CPUcommunication, which includes the stages of safe logic processing, safe data transfer and safelogic processing.
Fig. 123: SFRT in AC500-S system without PROFINET components
All terms in this figure are further explained Ä on page 337.
Safety times
Safety function response time
2022/02/04 3ADR025091M0210, 14, en_US 335
Fig. 124: SFRT in AC500-S system with PROFINET components and safety I/O modules
All terms in this figure are further explained Ä on page 337.
Safety timesSafety function response time
2022/02/043ADR025091M0210, 14, en_US336
Fig. 125: SFRT in AC500-S system with PROFINET components and safe CPU to CPU communication (example:SM560-S-FD-1 to SM560-S)
All terms in this figure are further explained Ä on page 337.
The following terms are defined in Fig. 123, Fig. 124 and Fig. 125 (in alphabetical order):● Device_WD1 (safety I/O time for inputs) is an internal input device watchdog time in ms
which includes:– Input delay (variable as parameter; not used for safety analog inputs which have an
internal input delay of 67.5 ms in the worst case instead).– Input delay accuracy Ä Table 4 “Input delay accuracy for DI581-S” on page 67Ä Table 6 “Input delay accuracy for DX581-S” on page 92.
– Test pulse low phase (fixed to 1 ms and optional (only if test pulses are used); not usedfor safety analog inputs).
– Two times internal cycle time (fixed; AI581-S ➔ 4.5 ms, DX581-S ➔ 5.5 ms and DI581-S ➔ 6.5 ms).
● Device_WD2 (safety I/O time for outputs) is an internal output device watchdog time inms which includes:– Internal safety output device cycle time (fixed; DX581-S ➔ 5.5 ms).– Output processing time in DX581-S (fixed to 1.5 ms).– Hardware delay (current dependent, e.g., ~1 ms (747 µs at 5 mA) and the maximum of
4 ms under the maximum output current of 500 mA). If more precise values are needed,please contact ABB technical support.
● F_Host_WD (safety logic time) is the time which can be calculated as three times safetyapplication cycle watchdog time. The safety application cycle watchdog time itself is con-figurable using POU SF_WDOG_TIME_SET. The safety application cycle watchdog timedepends on the number of F-Devices, safety application program and system configuration.
Explanation ofterms related toSFRT
Safety times
Safety function response time
2022/02/04 3ADR025091M0210, 14, en_US 337
● F_WD_Time1 and F_WD_Time2: The sum represents the data transport time in total via„black channel“. It covers different "black channel" components, like fieldbus cycle time(PROFINET), I/O bus time and update time for safety CPU (configurable as parameter) andcommunication module.
● Fieldbus cycle time (PROFINET) depends on the communication settings for thePROFINET IO device where the safety I/O module is attached to. The cycle time is amultiplication of two parameters of the PROFINET IO device.– “Send clock”, e.g., for CI501-PNIO and CI502-PNIO: 1 ms, 2 ms or 4 ms– “Reduction ratio”, e.g., for CI501-PNIO and CI502-PNIO: 1, 2, 4, 8, 16 ... 512These values can be selected depending on the defined PROFINET parameters for thisPROFINET module.
● The configurable update time for safety CPU and communication modules describesthe data transfer time via the communication module bus.– With AC500 V2 non-safety CPU:
The update time can be configured within the range of 0 ... 20000 ms for both safetyCPU and communication modules.
– With AC500 V3 non-safety CPU:The update time for safety CPU can be configured within the range of 1 ... 20000 ms.The update time for communication modules is related to PROFINET IO controller(CM579-PNIO) and PROFINET IO device (CM589-PNIO) settings. It is defined by thecommunication module setting “Bus cycle task”, e.g., in tab “PROFINET-IO-ControllerI/O Mapping”. Additional information: Ä ““Bus cycle task”” on page 407
● I/O bus time describes the data transfer time via I/O bus for communication betweennon-safety CPU and its local I/O bus modules as well as for communication betweencommunication interface modules and their local I/O bus modules.– With AC500 V2 non-safety CPU:
The I/O bus cycle time has no fixed pre-defined cycle value. It is defined by the numberand type of the configured I/O modules independent from non-safety CPU settings. TheI/O bus time contains the following values:- I/O bus master cycle: 2 ms (2 cycles, 1 ms each)- I/O bus cycle time: Typically 2 ... 5 ms (2 cycles, 1 ... 2.5 ms each)In total, the typical range for the I/O bus time is 4 ... 7 ms.
– With AC500 V3 non-safety CPU:The I/O bus is driven with a defined cycle time. This I/O bus cycle time relates tonon-safety CPU setting “Bus cycle task” in tab “I/O-Bus I/O Mapping”. Refer to additionalinformation: Ä ““Bus cycle task”” on page 407.A basic definition of I/O bus cycle times is done for non-safety CPU in setting “Bus cycletask” in tab “PLC settings”.Example for a setting with assignment to a task with 2 ms cycle time (and lower than thedefined update time for safety CPU):- Result for I/O bus master cycle: 2 ms = 2 cycles, 1 ms each- Result for I/O bus cycle time: Typically 4 ... 5 ms = 2 cycles, 2 ... 2.5 ms each (if theconfigured task cycle time does not suffice for the I/O bus module assembly, the I/O buscycle time can be extended to a maximum of 2.5 ms)In total, the I/O bus time for this example is 6 ... 7 ms.Refer to additional information: Ä ““Bus cycle task”” on page 407, e.g., for I/O bus.
– With communication interface module CI50x-PNIO:The I/O bus cycle time has no fixed pre-defined cycle value. It is defined by the numberand type of the configured I/O modules independent from communication interfacemodule settings. The I/O bus time contains the following values:- I/O bus master cycle: 2 ms (2 cycles, 1 ms each)- I/O bus cycle time: Typically 4 ... 7 ms (2 cycles, 2 ... 3.5 ms each)In total, the typical range for the I/O bus time is 6 ... 9 ms.
Below, a few examples on how to calculate SFRT values under various AC500-S system config-urations are presented. In our calculations, we use the following approach, based on Ä [2] andÄ [7], which allows us calculating SFRT as:
Safety timesSafety function response time
2022/02/043ADR025091M0210, 14, en_US338
Equation 2: SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + 0.5 * F_WD_Time2 +Device_WD2 + Longest ∆T_WD
DANGER!Input delay, input delay accuracy and test pulse low phase are not needed forAI581-S. However, the worst case fixed internal input delay of 67.5 ms shall beused for AI581-S instead.
DANGER!The input delay accuracy has to be calculated based on the following assump-tions:– It is not used for safety analog inputs.– If no test pulses are configured for the given safety digital input, then input
delay accuracy can be calculated as 1 % of set input delay value (however,input delay accuracy value must be at least 0.5 ms!).
– If test pulses are configured for the given safety digital input, thendepending on the type of the module (DI581-S or DX581-S) and set inputdelay value, the following input delay accuracy values can be used in SFRTcalculations: Ä Table 4 “Input delay accuracy for DI581-S” on page 67Ä Table 6 “Input delay accuracy for DX581-S” on page 92
NOTICE!Ä Equation 2 on page 338 is taken for SFRT calculation with the followingreasoning:– Device_WD1 and Device_WD2, as worst case delay times for safety I/Os,
can be defined as it is shown in Fig. 123 and Fig. 124.– To calculate the worst case delay time of "Black channel" components (refer
to AC500 non-safety modules in Fig. 123 and Fig. 124), we propose touse half of F_WD_Time1 and F_WD_Time2 instead. F_WD_Time1 andF_WD_Time2 can be empirically obtained for the given AC500 systemconfiguration by tracing the values of tResponseTimeMS for given safetyI/Os in the safety application. Use PROFIsafe instance for the given safetyI/O Ä Chapter 4.6.3 “SafetyBase_PROFIsafe_LV210_AC500_V22.lib”on page 197. F_WD_Time1 and F_WD_Time2 shall be set about 30 %higher than the worst case value observed in the tResponseTimeMS for thegiven safety I/O.
– We propose to take F_Host_WD time instead of the worst case delaytime of SM560-S safety CPU. F_Host_WD can be calculated as threetimes the value set using SF_WDOG_TIME_SET POUs. The correctvalue for SF_WDOG_TIME_SET can be empirically obtained using tracingMAX_TIME output of the same POU in a test run. SF_WDOG_TIME_SETvalue shall be set about 30 % higher than the worst case value(MAX_TIME) observed in the given safety application to avoid potentialavailability problems due to triggering of SM560-S safety CPU watchdog.
– F_WD_Time1 and F_WD_Time2 are the only potential candidates for lon-gest ∆T_WD, because F_Host_WD, Device_WD1 and Device_WD2 arealready equal to their worst case delay times. Thus,
Longest ∆T_WD = Max (0.5 * F_WD_Time1; 0.5 * F_WD_Time2)
Safety times
Safety function response time
2022/02/04 3ADR025091M0210, 14, en_US 339
NOTICE!One could achieve even better SFRT values than those obtained usingÄ Equation 2 on page 338 with a more detailed technical analysis. ContactABB technical support for further details.
NOTICE!You have to set F_WD_Time1 and F_WD_Time2 at least 2 times bigger thanthe value set using SF_WDOG_TIME_SET time to avoid unintended systemstop due to PROFIsafe watchdog expiration.
DANGER!AC500-S safety I/O modules satisfy the requirement of IEC 61131 to bypassa potential undervoltage event with a duration of up to 10 ms. During this under-voltage effect of up to 10 ms, AC500-S safety I/O modules deliver the last validprocess value before the undervoltage was detected for safety analog inputchannels in AI581-S and for safety digital input and output values in DI581-Sand DX581-S modules.If the undervoltage phase is longer than 10 ms then safety I/O module passiva-tion occurs Ä Chapter 3.2.3 “Undervoltage / overvoltage” on page 63.If undervoltage events with duration of < 10 ms are frequently observed in thesafety application, you have to add 10 ms for AI581-S module in their SFRTcalculation to take into account a bypass stage described above. Normally,undervoltage events with duration of < 10 ms are seldom and therefore consid-ered to be low probability faults in the power supply system and can be omittedin the SFRT calculation.
Based on Fig. 123, Fig. 124 and Fig. 125, the following exemplary SFRT values can beachieved for some typical AC500-S configurations using Ä Equation 2 on page 338:
Without PROFINET (DI581-S ➔SM560-S ➔ DX581-S)SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + 0.5 * F_WD_Time2 + Device_WD2+ Longest ∆T_WD = 14.5 + 10 + 6 + 10 + 8 + 10 = 58.5 mswhere:● Device_WD1 = 1 ms + 0.5 ms + 2 x 6.5 ms = 14.5 ms (no test pulses were used)● F_WD_Time1 = 20 ms● F_Host_WD = 3 x 2 ms (SF_WDOG_TIME_SET time) = 6 ms● F_WD_Time2 = 20 ms● Device_WD2 = 8 ms (output current = ~ 5 mA)● Longest ∆T_WD = Max (0.5 * F_WD_Time1; 0.5 * F_WD_Time2) = 10 ms
Safety timesSafety function response time
2022/02/043ADR025091M0210, 14, en_US340
Without PROFINET (DX581-S ➔ SM560-S ➔ DX581-S)SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + 0.5 * F_WD_Time2 + Device_WD2+ Longest ∆T_WD = 12.5 + 10 + 6 + 10 + 8 + 10 = 56.5 mswhere:● Device_WD1 = 1 ms + 0.5 ms + 2 x 5.5 ms = 12.5 ms (no test pulses were used)● F_WD_Time1 = 20 ms● F_Host_WD = 3 x 2 ms (SF_WDOG_TIME_SET time) = 6 ms● F_WD_Time2 = 20 ms● Device_WD2 = 8 ms (output current = ~ 5 mA)● Longest ∆T_WD = Max (0.5 * F_WD_Time1; 0.5 * F_WD_Time2) = 10 ms
Without PROFINET (AI581-S ➔ SM560-S ➔ DX581-S)SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + 0.5 * F_WD_Time2 + Device_WD2+ Longest ∆T_WD = 76.5 + 10 + 6 + 10 + 8 +10 = 120.5 mswhere:● Device_WD1 = 2 x 4.5 ms + 67.5 ms = 76.5 ms● F_WD_Time1 = 20 ms● F_Host_WD = 3 x 2 ms (SF_WDOG_TIME_SET time) = 6 ms● F_WD_Time2 = 20 ms● Device_WD2 = 8 ms (output current = ~ 5 mA)● Longest ∆T_WD = Max (0.5 * F_WD_Time1; 0.5 * F_WD_Time2) = 10 ms
With PROFINET (DI581-S ➔ SM560-S ➔ DX581-S)SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + 0.5 * F_WD_Time2 + Device_WD2+ Longest ∆T_WD = 14.5 + 15 + 6 + 15 + 8 + 15 = 73.5 mswhere:● Device_WD1 = 1 ms + 0.5 ms + 2 x 6.5 ms = 14.5 ms (no test pulses were used)● F_WD_Time1 = 30 ms● F_Host_WD = 3 x 2 ms (SF_WDOG_TIME_SET time) = 6 ms● F_WD_Time2 = 30 ms● Device_WD2 = 8 ms (output current = ~ 5 mA)● Longest ∆T_WD = Max (0.5 * F_WD_Time1; 0.5 * F_WD_Time2) = 15 ms
With PROFINET (DX581-S ➔ SM560-S ➔ DX581-S)SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + 0.5 * F_WD_Time2 + Device_WD2+ Longest ∆T_WD = 12.5 + 15 + 6 + 15 + 8 + 15 = 71.5 mswhere:● Device_WD1 = 1 ms + 0.5 ms + 2 x 5.5 ms = 12.5 ms (no test pulses were used)● F_WD_Time1 = 30 ms● F_Host_WD = 3 x 2 ms (SF_WDOG_TIME_SET time) = 6 ms● F_WD_Time2 = 30 ms● Device_WD2 = 8 ms (output current = ~ 5 mA)● Longest ∆T_WD = (Max (0.5 * F_WD_Time1; 0.5 * F_WD_Time2) = 15 ms
Safety times
Safety function response time
2022/02/04 3ADR025091M0210, 14, en_US 341
With PROFINET (AI581-S ➔ SM560-S ➔ DX581-S)SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + 0.5 * F_WD_Time2 + Device_WD2+ Longest ∆T_WD = 76.5 + 15 + 6 + 15 + 8 + 15 = 135.5 mswhere:● Device_WD1 = 2 x 4.5 ms + 67.5 ms = 76.5 ms● F_WD_Time1 = 30 ms● F_Host_WD = 3 x 2 ms (SF_WDOG_TIME_SET time) = 6 ms● F_WD_Time2 = 30 ms● Device_WD2 = 8 ms (output current = ~ 5 mA)● Longest ∆T_WD = Max (0.5 * F_WD_Time1; 0.5 * F_WD_Time2) = 15 ms
With PROFINET (SM560-S-FD-1 ➔ SM560-S)SFRT = Device_WD1 + 0.5 * F_WD_Time1 + F_Host_WD + Longest ∆T_WD = 9 + 25 + 6 + 25= 65 mswhere:● Device_WD1 = 3 x 3 ms (SF_WDOG_TIME_SET time) = 9 ms● F_WD_Time1 = 50 ms● F_Host_WD = 3 x 2 ms (SF_WDOG_TIME_SET time) = 6 ms● Longest ∆T_WD = 0.5 * F_WD_Time1 = 25 ms
NOTICE!SFRT calculation for such cases as SM560-S-FD-4 ➔ SM560-S, SM560-S ➔SM560-S-FD-1, SM560-S ➔ SM560-S-FD-4, etc. can be calculated in a similarway as it is shown in Fig. 125.
DANGER!Mistakes in SFRT calculation can lead to death or severe personal injury, espe-cially in such applications like presses, robotic cells, etc.
NOTICE!The high priority tasks on non-safety CPU, which are a part of the "blackchannel" for safety communication, may affect TWCDT for AC500-S safetyPLC.
Safety timesSafety function response time
2022/02/043ADR025091M0210, 14, en_US342
—6 Checklists for AC500-S commissioning6.1 Overview
All users of AC500-S safety PLC shall evaluate items from the checklists presented in thischapter for AC500-S commissioning and document those in their final reports.The items presented in the checklists include only the most important ones from AC500-Ssafety PLC perspective, which means that AC500-S checklists can be also extended by users toinclude additional aspects important for their safety applications.
6.2 Checklist for creation of safety application programNo. Item to check Fulfilled (yes / no)? Comment1. Verify that only safety signals are used for all safety func-
tions.
2. Verify that not only safety application project is loaded tothe safety CPU but also the relevant non-safety applica-tion project is loaded to non-safety CPU.Verify that programs are saved from RAM memory to theflash memory, i.e., "Create boot project" is done.
3. Up to Automation Builder 2.2.x: Verify that F-Parametersfor all safety I/Os and other F-Devices set in F-Parametereditor are the same as those listed in AC500-S Program-ming Tool: “Global Variables è PROFIsafe”Ä Chapter 4“Configuration and programming” on page 135.Automation Builder 2.3.x (and higher): Verify that a validSVT report is present for the application project.
4. F-Host on safety CPU can handle more than oneF_Source_Add, if required, e.g., for PROFIsafe master- master coupling of different network islands. Verifythat no ambiguous F_Source_Add settings for variousF-Devices were set for the given safety application.Note:
The rule "F_Source_Add <> F_Dest_Add for the given F-Device" is automatically checked by Automation Builder.
5. Validate iParameters. Two options are available:A) Validate that all iParameters (input delay, channel con-figuration, etc.) for all safety I/Os and other F-Devices arecorrect with a given F_iPar_CRC value using appropriatefunctional validation tests for those parameters (contactABB technical support for more details)orB) Use a special verification procedure defined inÄ Chapter 6.5 “Verification procedure for safe iPara-meter setting in AC500-S safety I/Os” on page 350 tovalidate each iParameter and then carry out only func-tional safety validation tests of your application (no needto check each single iParameter value). You have toprovide a report confirming that all iParameters werechecked as described in Ä Chapter 6.5 “Verification pro-cedure for safe iParameter setting in AC500-S safetyI/Os” on page 350.Make sure that all F_iPar_CRC are > 0.
Checklists for AC500-S commissioning
Checklist for creation of safety application program
2022/02/04 3ADR025091M0210, 14, en_US 343
No. Item to check Fulfilled (yes / no)? Comment6. Verify that the safety programming guidelines were prop-
erly used in the safety application program Ä Chapter 4.4“Safety programming guidelines” on page 182.
7. All signals from the non-safety user program on non-safety CPU, which are evaluated in the safety programon the safety CPU, have to be also included when thesafety application program is printed out.
8. Has a review of the safety application program been car-ried out by a person not involved in the program crea-tion?
9. Has the result of the safety application program reviewbeen documented and released (date/ signature)?
10. Was a backup of the complete safety (see note below)and non-safety project created before loading programson safety and non-safety CPUs?Note:
● Make sure that file name, change date, title, author,version, description and CRC of the safety bootproject are documented as a backup.
● No further changes are allowed for safety parts inAutomation Builder project and AC500-S Program-ming Tool. If any changes are still done, then theywill lead to a new safety boot project CRC, which willrequire re-doing this checklist from the beginning.
11. Verify using the menu item “Online è Check boot projectin PLC” that offline safety project in AC500-S Program-ming Tool and the boot project on the safety CPU areidentical (file name, change date, title, author, version,description and CRC).
12. If floating-point operations are used, verify that rules pre-sented in Ä Chapter 3.1.2.2 “Floating-point operations”on page 35 are taken into account and do not lead to anyunsafe states in the safety application program.
13. Verify that POU SF_WDOG_TIME_SET is called once inthe safety application program and the watchdog time iscorrectly selected.
14. Verify that a password for the safety CPU is set to pre-vent an unauthorized access to its data.
15. Verify that only authorized personnel has “Write” accessfor safety module parameter settings and programs inAutomation Builder and AC500-S Programming Tool.
16. Verify that correct value for power supply supervisionusing POU SF_MAX_POWER_DIP_SET was set to havea correct system behavior in case of under- or over-voltage.
17. Verify that POU SF_SAFETY_MODE is correctly used inthe safety application program to avoid unintended safetyprogram execution in DEBUG (non-safety) mode.
Checklists for AC500-S commissioningChecklist for creation of safety application program
2022/02/043ADR025091M0210, 14, en_US344
No. Item to check Fulfilled (yes / no)? Comment18. Verify that no profile version change, “Update Device...”,
Export/Import, Copy/Paste and Archive related functionsin Automation Builder were executed on safety modulesafter the project was validated.If the functions mentioned above were used and thisleads to a safety boot project with a new CRC, then a fullfunctional testing of all parts of the safety application hasto be performed. This test must be carried out with themachine in its final configuration including mechanical,electrical and electronic components, sensors, actuators,and software.
19. Verify using library CRC, shown in AC500-S Program-ming Tool, that only certified safety libraries with correctCRCs (refer to Ä Chapter 4.6.1 “Overview” on page 192)are used in the given safety project to execute safetyfunctions. All other user-defined libraries have to be sep-arately validated by the end-user to qualify for the givensafety application.
20. Make sure that internal POUs from Safe-tyUtil_CoDeSys_AC500_V22.lib and internal actions fromSafetyBase_PROFIsafe_LV210_AC500_V22.lib (or olderversions) are not called by end-user program, whichstarts from PLC_PRG as the main root.
21. Make sure that, in AC500-S Programming Tool, all threesystem events (“CallbackInit”, “CallbackReadInputs”and “CallbackWriteOutputs”) in “Resources è Taskconfiguration è System Events” remain selected.
22. If the flash memory content (SF_FLASH_READ and/orSF_FLASH_WRITE FBs are called in the safety applica-tion) is used in the safety application for safety functions,then appropriate flash memory content validation proce-dures (e.g., proper safety application CRC over storedsafety data) shall be implemented to ensure safety appli-cation data integrity before flash memory data are usedin safety functions.
23. Verify● that the symbolic variables of configured F-Devices
are mapped properly and● that the delivered safety data is correctly repre-
sented in your safety application. I.e., if data typeswhich require more than one byte (like Unsigned16,Unsigned32, Integer16, Integer32, Float32) are usedin PROFIsafe data.
Note:
The byte order in PROFIsafe data types depends onthe used PROFIsafe device endianness and selectedAC500 CPU type. (AC500 V2 non-safety CPU supportsbig-endian. AC500 V3 non-safety CPU supports little-endian.)
Checklists for AC500-S commissioning
Checklist for creation of safety application program
2022/02/04 3ADR025091M0210, 14, en_US 345
No. Item to check Fulfilled (yes / no)? Comment24. If you use cyclic non-safe data exchange, make sure that
only safety functions with up to SIL 2 (IEC 61508 andIEC 62061) and PL d (ISO 13849-1) will be triggered ifsending data using cyclic non-safe data exchange.Note:
If cyclic non-safe data exchange is used to send orreceive safety-critical data, then SIL 3 (IEC 61508 andIEC 62061) and PL e (ISO 13849-1) safety requirementswill not be fulfilled for sent or received data (independ-ently on application safety communication profile used),because only one microprocessor (no 1oo2 safety archi-tecture in the background) on safety CPU handles thesending and receiving direction.
Contact ABB technical support on how to reach SIL 3and PL e.
25. If you use cyclic non-safe data exchange, verify that thevariable names of cyclic non-safe data exchange whichare created for the safety CPU do not start with "S_","GS_", "IS_" or "OS_".
Reviewer(s):Machine/Application <ID>:Signature:Date:
6.3 Checklist for configuration and wiringNo. Item to check Fulfilled (yes / no)? Comment1. Are all safety input and output signals correctly config-
ured and are the output signals connected to physicaloutput channels?
2. Verify that safety CPU switch addresses 0xF0 ...0xFF are not used for safety CPU identification (e.g.,PROFIsafe addresses).
3. Verify that special organizational procedures (e.g., limitedaccess to the cabinet where safety CPU is located) onthe end-customer site are defined to avoid unintendedfirmware and/or boot code update on the safety CPUusing SD card.
4. Verify that correct parameter settings of non-safety CPUare used for the given safety application Ä Appendix B.3“AC500 V2 non-safety CPU parameters configuration”on page 391 Ä Appendix C.3 “AC500 V3 non-safetyCPU parameters configuration” on page 406.
5. Verify that required safety function response time of yoursafety application can be satisfied with current AC500-Ssafety PLC settings and your SFRT calculation is donebased on Ä Chapter 5.3 “Safety function response time”on page 334.
Checklists for AC500-S commissioningChecklist for configuration and wiring
2022/02/043ADR025091M0210, 14, en_US346
No. Item to check Fulfilled (yes / no)? Comment6. Verify that none of safety output channels has a configu-
ration with "Detection" parameter = OFF, which reducessafety diagnostics for such safety output channels. Ifsuch configuration is used, explain in the "Comment"section of this checklist your reasons and claim that therequired SIL and PL application levels can be reachedwith such configuration.
7. Verify that:● Address setting is correct.● Assignment of signal inputs is complete.● Assignment of signal outputs is complete.● Assignment of unused inputs is complete.● All terminal blocks are plugged.
8. Verify that correct firmware versions are usedfor dependent non-safety components Ä AppendixB.1 “Compatibility with AC500 V2 non-safety CPU”on page 382 Ä Appendix C.1 “Compatibility with AC500V3 non-safety CPUs” on page 400.Contact ABB technical support if needed.
9. Verify that only one safety CPU is attached to non-safetyCPU. The use of more than one safety CPU on onenon-safety CPU is not allowed.
10. Verify that the correct safety boot project is loaded on theright AC500-S safety CPU, for example, using organiza-tional procedures or fault exclusion (only one safety CPUis available in the machine).Examples of organizational procedures are:● If engineering PC is used and there is more than one
safety CPU, then make sure that only one and rightsafety CPU is reachable for engineering PC when thegiven safety boot project is transferred to the safetyCPU.
● If SD card is used and there is more than one safetyCPU, then clearly identify each safety CPU and SDcard using a proper ID marking on stickers attachedto each safety CPU and SD card. These ID markingson stickers shall provide a clearly readable uniqueidentification of each object to establish clear rulesfor relations "SD card with given safety boot project -safety CPU".
11. Verify that the following rules were correctly applied forsafe CPU to CPU communication using SM560-S-FD-1and SM560-S-FD-4 CPUs:● In the same codename space, F_Dest_Add shall be
unique (Fig. 6 on page 40).● In the same codename space, F_Source_Add shall
not be re-used in other F-Hosts. Inside the same F-Host, a re-use is allowed for several F-Host Drivers.
● In the same codename space, F_Dest_Add shall notbe used as F_Source_Add and vice versa.
12. If SM560-S-FD-1 or SM560-S-FD-4 is used, make surethat F-Submodules ("12 Byte In/Out (PROFIsafe V2.4)" /"8 Byte and 2 Int In/Out (PROFIsafe V2.4)" / "12 ByteIn/Out (PROFIsafe V2.6)" / "123 Byte In/Out (PROFIsafeV2.6 )") are correctly connected to master systems.
Checklists for AC500-S commissioning
Checklist for configuration and wiring
2022/02/04 3ADR025091M0210, 14, en_US 347
No. Item to check Fulfilled (yes / no)? Comment13. Verify that not only codenames but also F_Dest_Add are
unique in PROFIsafe networks, if only F_Dest_Add ischecked by the F-Device.
Reviewer(s):Machine/Application <ID>:Signature:Date:
6.4 Checklist for operation, maintenance and repairNo. Item to check Fulfilled (yes / no)? Comment1. Make sure that all safety modules are properly placed
on their positions at the terminal base for safety CPU orterminal units for safety I/Os and stable contact betweenterminals and safety modules is assured.
2 Check that proper temperature monitoring measures(e.g., temperature sensors could be placed in the switch-gear cabinet and connected to AI581-S safety analoginput channels) are implemented in the switchgear cab-inet where AC500-S safety modules are placed, if theoperating temperature range for AC500-S safety PLCcannot be guaranteed.Note:
Safety digital outputs of DX581-S module have internalbuilt-in overtemperature protection and always deliverfail-safe "0" values in case of overtemperature.
3. Make sure that the following rule, as defined byPROFIsafe standard (refer to www.profisafe.net for moredetails), was considered in the safety application anal-ysis:● A maximum of 10 communication links (i.e.,
PROFIsafe connections from the given safety inputto the given safety output) per safety function ispermitted for an average probability of a dangerousfailure of 10-9/h (SIL 3). In case of more than 10 com-munication links per safety function, the probabilityof a dangerous failure increases by 10-10/h per addi-tional communication link. Correspondingly, a max-imum of 100 communication links is permitted in caseof SIL 2.
4. Make sure that all network devices used in conjunctionwith AC500-S safety PLC meet the requirements of IEC61010 or IEC 61131-2 (e.g., PELV). Single port routersare not permitted as borders for a safety island.Refer to Ä [2] for further details.
Checklists for AC500-S commissioningChecklist for operation, maintenance and repair
2022/02/043ADR025091M0210, 14, en_US348
No. Item to check Fulfilled (yes / no)? Comment5 Before any deployment of a safety application with
PROFIsafe, especially those using wireless components,an assessment for dangerous threats such as eaves-dropping or data manipulation shall be executed (referto Ä [10] for more details). Check that adequate level ofsecurity defining security zones with security gates wasestablished.In case of no threat, no security measures are necessary.Note:
There are two possible threats identified so far mainly forapplications with wireless components Ä [2]:
● Willful changes of parameters of F-Devices andsafety programs.
● Attacks on the cyclic communication, e.g., simulationof the safety communication.
6. The complete functional testing of all parts of the safetyapplication has to be performed. This test must becarried out with the machine in its final configurationincluding mechanical, electrical and electronic compo-nents, sensors, actuators, and software.
7. Verify that clear operation, maintenance and repair pro-cedures (organization, responsibility, spare parts, projectdata backup, etc.) for safety application are defined.Note:● Restart of the corresponding safety control loop is
only permitted, if there is no hazardous process state,and after an operator acknowledgment (OA_C).Refer to Ä [2] for further details.
8. Verify that proper electrical contact is available betweensafety I/O modules (AI581-S, DI581-S and DX581-S) andTU582-S terminal units. Follow the assembly instructionsfor safety I/O modules Ä “Assembly of DI581-S”on page 70 Ä “Assembly of DX581-S” on page 96Ä “Assembly of AI581-S” on page 115.
9. Ensure that average operating temperature for usedsafety modules (AC500-S and AC500-S-XC) does notexceed +40 °C (e.g., temperature sensors could beplaced in the switchgear cabinet and connected to AI581-S safety analog input channels for temperature moni-toring).
10. Verify that no automatic reboot of non-safety CPU is pro-grammed in non-safety program. The automatic rebootof non-safety CPU would lead to automatic restart of thesafety CPU, which is directly attached to non-safety CPU.Such automatic restart of the safety CPU may not beaccepted in some safety applications.
Reviewer(s):Machine/Application <ID>:Signature:Date:
Checklists for AC500-S commissioning
Checklist for operation, maintenance and repair
2022/02/04 3ADR025091M0210, 14, en_US 349
6.5 Verification procedure for safe iParameter setting in AC500-S safety I/OsThis verification procedure has to be performed before commissioning of the final safety appli-cation and relevant validation tests to confirm that F_iPar_CRC was calculated for a correct setof iParameters.
6.5.1 Verification procedure workflowPersonnel: n Safety application engineer of AC500-S safety PLC
1. In Automation Builder, go to “Tools è Options...”. Activate “Show generic deviceconfiguration views” and instantiate a given type of safety I/O module (AI581-S, DI581-Sor DX581-S) in the Automation Builder tree (DX581-S is used as an example):
2. Go to the iParameter setting tab (“DX581-S”, “DI581-S” or “AI581-S”) for the given moduleand set appropriate iParameter values (e.g., “Test Pulse”, “Input Delay”, etc.).
3. Verify against your safety application technical specification that all iParameters for allsafety I/O channels are set correctly.
4. Go to “F-Parameter” tab and press [Calculate] button. Copy calculated F_iPar_CRC valuefrom the “Checksum iParameter” field and paste it to “F_iPar_CRC” field of the F-Param-eter editor.
Checklists for AC500-S commissioningVerification procedure for safe iParameter setting in AC500-S safety I/Os > Verification procedure workflow
2022/02/043ADR025091M0210, 14, en_US350
5. Go to “<safety I/O module name> Parameters” tab, and verify using a cross-checkaccording to Ä Chapter 6.5.2 “ Verification tables for iParameter settings in AC500-Ssafety I/Os” on page 351 that iParameter settings previously set at Step 2 are the sameas ones listed in the “Value” column for given channels (use Ä Chapter 6.5.2 “ Verificationtables for iParameter settings in AC500-S safety I/Os” on page 351 to decode integervalues to real parameter values).
6. Go to “F-Parameter” tab and press [Calculate] button once more, even if the previousvalue is still available. Compare that the value shown in “Checksum iParameter” field andthe one in F_iPar_CRC field of the F-Parameter editor are the same.
ð If F_iPar_CRC values are the same, then the verification procedure for given iPara-meter settings of the given AC500-S safety I/O module was successfully passed.
Important!● If any errors (F_iPar_CRC or iParameters are not equal) were identified during Steps 1 ... 6,
then one has to re-do the same procedure from the beginning. If after this second repetitionthere is still inconsistency, contact ABB technical support for help.
● Note, if iParameters values were verified as described in Steps 1 ... 6, you can re-use thisiParameter combination with the given F_iPar_CRC for further modules of the same typewithout repeating the verification procedure described above.
6.5.2 Verification tables for iParameter settings in AC500-S safety I/OsThe instructions below provide a basis for cross-check of values set for iParameters in “AI581-S”, “DI581-S” and “DX581-S” tabs.
Checklists for AC500-S commissioning
Verification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/04 3ADR025091M0210, 14, en_US 351
6.5.2.1 AI581-S safety I/O tables
Fig. 126: The “AI581-S Parameters” tab is a readback view for iParameters set in “AI581-S” tab.
1 “AI581-S” tab2 “AI581-S Parameters” tab
1. Make sure that the “Check supply” parameter in both “AI581-S” and “AI581-S Parameters”tabs has the same value, "On" or "Off".
2. Refer to “AI581-S” tab and calculate “Input channel 0” decimal equivalent (Dec_InputCh-annel0) as:Dec_InputChannel0 = Configuration_Value + Noise_Rejection_Valuewhere:Configuration_Value:0 ➔ Not used3 ➔ 1 channel (0 ... 20 mA)4 ➔ 1 channel (4 ... 20 mA)5 ➔ 2 channel (4 ... 20 mA)Noise_Rejection_Value:0 ➔ None64 ➔ 50 Hz128 ➔ 60 HzCompare calculated Dec_InputChannel0 with "Input 0, channel configuration value".They have to be equal.If they are not equal, stop the procedure and re-do the configuration and comparison.If after the second iteration, there is still a difference between those values, stop verifica-tion procedure and contact ABB technical support.
3. Repeat step 2 for the rest of analog input channels (input 1, input 2 and input 3).
Checklists for AC500-S commissioningVerification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/043ADR025091M0210, 14, en_US352
4. Refer to “AI581-S” tab and calculate "Analog inputs 0/2 - Extended configuration"decimal equivalent (Dec_ExtConf0_2) as:Dec_ExtConf0_2 = Tolerance_Range_Value + Min_Max_ValuewhereTolerance_Range_Value:4 ➔ 4 %5 ➔ 5 %6 ➔ 6 %7 ➔ 7 %8 ➔ 8 %9 ➔ 9 %10 ➔ 10 %11 ➔ 11 %12 ➔ 12 %Min_Max_Value:0 ➔ Min128 ➔ MaxCompare calculated Dec_ExtConf0_2 with "Analog inputs 0/2 - Extended configura-tion". They have to be equal.If they are not equal, stop the procedure and re-do the configuration and comparison.If after the second iteration, there is still a difference between those values, stop verifica-tion procedure and contact ABB technical support.
5. Repeat step 4 for "Analog inputs 1/3 - Extended configuration" value.
6.5.2.2 DI581-S safety I/O tables
Fig. 127: The “DI581-S Parameters” tab is a readback view for iParameters set in “DI581-S” tab.
1 “DI581-S” tab2 “DI581-S Parameters” tab
1. Make sure that the “Check supply” parameter in both “DI581-S” and “DI581-S Parameters”tabs has the same value, "On" or "Off".
Checklists for AC500-S commissioning
Verification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/04 3ADR025091M0210, 14, en_US 353
2. Refer to “DI581-S” tab and calculate “Input channel 0” decimal equivalent (Dec_InputCh-annel0) as:Dec_InputChannel0 = Configuration_Value + Test_Pulse_Value + Input_Delay_ValuewhereConfiguration_Value:0 ➔ Not used1 ➔ 1 channel2 ➔ 2 channel equivalent3 ➔ 2 channel antivalentTest_Pulse_Value:0 ➔ Disabled8 ➔ EnabledInput_Delay_Value:16 ➔ 1 ms32 ➔ 2 ms48 ➔ 5 ms64 ➔ 10 ms80 ➔ 15 ms96 ➔ 30 ms112 ➔ 50 ms128 ➔ 100 ms144 ➔ 200 ms160 ➔ 500 msCompare calculated Dec_InputChannel0 with "Input 0, channel configuration value".They have to be equal.If they are not equal, stop the procedure and re-do the configuration and comparison.If after the second iteration, there is still a difference between those values, stop verifica-tion procedure and contact ABB technical support.
3. Repeat step 2 for the rest of digital input channels (input 1, input 2, ... input 15).
Checklists for AC500-S commissioningVerification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/043ADR025091M0210, 14, en_US354
4. Make sure that the “2 channel configuration 0/8” parameter in “DI581-S” tab has the samevalue as “Inputs 0/8, discrepancy time” parameter in “DI581-S Parameters” tab.If the values are not the same, stop the procedure and re-do the configuration andcomparison.If after the second iteration, there is still a difference between those values, stop verifica-tion procedure and contact ABB technical support.
Fig. 128: Compare “DI581-S” tab and “DI581-S Parameters” tab
1 “2 channel configuration 0/8” parameter in “DI581-S” tab2 “Inputs 0/8, discrepancy time” parameter in “DI581-S Parameters” tab
5. Repeat step 4 for the rest of channel combinations:● Inputs 1/9, discrepancy time● Inputs 2/10, discrepancy time● Inputs 3/11, discrepancy time● Inputs 4/12, discrepancy time● Inputs 5/13, discrepancy time● Inputs 6/14, discrepancy time● Inputs 7/15, discrepancy time
Checklists for AC500-S commissioning
Verification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/04 3ADR025091M0210, 14, en_US 355
6.5.2.3 DX581-S safety I/O tables
Fig. 129: The “DX581-S Parameters” tab is a readback view for iParameters set in “DX581-S” tab.
1 “DX581-S” tab2 “DX581-S Parameters” tab
1. Make sure that the “Check supply” parameter in both “DX581-S” and “DX581-SParameters” tabs has the same value, "On" or "Off".
Checklists for AC500-S commissioningVerification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/043ADR025091M0210, 14, en_US356
2. Refer to “DX581-S” tab and calculate “Input channel 0” decimal equivalent (Dec_InputCh-annel0) as:Dec_InputChannel0 = Configuration_Value + Test_Pulse_Value + Input_Delay_ValuewhereConfiguration_Value:0 ➔ Not used1 ➔ 1 channel2 ➔ 2 channel equivalent3 ➔ 2 channel antivalentTest_Pulse_Value:0 ➔ Disabled8 ➔ EnabledInput_Delay_Value:16 ➔ 1 ms32 ➔ 2 ms48 ➔ 5 ms64 ➔ 10 ms80 ➔ 15 ms96 ➔ 30 ms112 ➔ 50 ms128 ➔ 100 ms144 ➔ 200 ms160 ➔ 500 msCompare calculated Dec_InputChannel0 with "Input 0, channel configuration value".They have to be equal.If they are not equal, stop the procedure and re-do the configuration and comparison.If after the second iteration, there is still a difference between those values, stop verifica-tion procedure and contact ABB technical support.
3. Repeat step 2 for the rest of digital input channels (input 1, input 2, ... input 7).
Checklists for AC500-S commissioning
Verification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/04 3ADR025091M0210, 14, en_US 357
4. Make sure that the “2 channel configuration 0/4” parameter in “DX581-S” tab has thesame value as “Inputs 0/4, discrepancy time” parameter in “DX581-S Parameters” tab.If the values are not the same, stop the procedure and re-do the configuration andcomparison.If after the second iteration, there is still a difference between those values, stop verifica-tion procedure and contact ABB technical support.
Fig. 130: Compare “DX581-S” tab and “DX581-S Parameters” tab
1 “2 channel configuration 0/4” parameter in “DX581-S” tab2 “Inputs 0/4, discrepancy time” parameter in “DX581-S Parameters” tab
5. Repeat step 4 for the rest of input channel combinations:● Inputs 1/5, discrepancy time● Inputs 2/6, discrepancy time● Inputs 3/7, discrepancy time
6. Refer to “DX581-S” tab and calculate "Output channel 0" decimal equivalent (Dec_Out-putChannel0) as:Dec_OutputChannel0 = Detection_Value + Output_Value + 1whereDetection_Value:0 ➔ Off64 ➔ OnOutput_Value:0 ➔ Not used128 ➔ UsedCompare calculated Dec_OutputChannel0 with "Output 0, channel configuration".They have to be equal.If they are not equal, stop the procedure and re-do the configuration and comparison.If after the second iteration, there is still a difference between those values, stop verifica-tion procedure and contact ABB technical support.
7. Repeat step 6 for the rest of digital output channels (channel 1, channel 2, ... channel 7).
Checklists for AC500-S commissioningVerification procedure for safe iParameter setting in AC500-S safety I/Os > Verification tables for iParameter settings in AC500-S safety I/Os
2022/02/043ADR025091M0210, 14, en_US358
—7 Safety application examples7.1 Overview
In this chapter, application examples based on PLCopen Safety POUs are presented with themain goal to give an explanation on how PLCopen Safety POUs can be used in typical safetyapplications. Examples are used from Ä [6] with a permission from PLCopen organization.Initialization procedures for handling PROFIsafe start-up behavior and AC500-S specific POUsare not listed in these examples, but have to be included in the final safety application pro-grams.As an example of the usage of safety functions, the following production line is used. ThePLCopen FBs described below can be used to easily realize the safety application program forthis production line.
Fig. 131: Example of safety functionalities in a production line
1 Centralized switchgear cabinet, including the safetyrelated part of the control system where the safetyrelated function blocks are running.
2 Infeed of material. In this part, no special safetyrelated functions are used. However, safety func-tionalities like muting to separate between productsand persons could be used.
3 Cutting of the material. For manual control, a twohand control safety function (unit is in front of themachine) is added combined with a 2-fold doormonitoring system (attached to the door on themachine)
4 Automatic printing station, with door monitoring assafety function in case of service access (attachedto the door on the machine)
5 First cartoning machine with door monitoring assafety function in case of service access (attachedto the door on the machine). Sometimes, themanual operation is necessary. In this case, theoperator can run the machine with a safely limitedspeed controlled by an enabling device which, whenreleased, initiates a safe stop.
6 Second cartoning machine, guarded by an electro-sensitive protective equipment, ESPE. In this case,it is a light curtain.
7 Palletizing function, guarded by safety mats. Thisfunctionality could be coupled to the ESPE safetyfunction.
8 Foil wrapping station of the palletized products withan exit of the production line. This area is safe-guarded by several combined light beams, coupledto the ESPE safety function.
In addition, every station is equipped with an emergency stop.
Safety application examples
Overview
2022/02/04 3ADR025091M0210, 14, en_US 359
7.2 Example 1: diagnostics conceptThis example shows the usage of the diagnostic concept, with a daisy chain from the FB param-eters Activate and Ready (with perhaps a pre-evaluation of hardware errors). Other exampleswill not show the diagnostic connections Ä Chapter 7.3 “Example 2: muting” on page 364Ä Chapter 7.4 “Example 3: two-hand control” on page 368.The safety functionality is to stop a drive in accordance with stop category 1 of IEC 60204-1initiated by an emergency stop or by interrupting the light curtain. The equivalent monitoring ofthe 2 connectors of the emergency stop switch is done in the safety application.In this example, both options of input evaluation are shown:● via intelligent safety input● via the equivalent function block
7.2.1 Functional description of safety functionsThis example uses the following safety functions:● Issuing the emergency stop (via SF_EmergencyStop) or interrupting the light beam in the
light curtain (via SF_ESPE) stops the drive in accordance with stop category 1.● The stop of the electrical drive within a predefined time is monitored (via SF_SafeStop1).● The safe status of the drive is indicated by the S_Stopped variable, connected to the
functional application.● If the stop is performed by the emergency stop switch, a manual reset is required (via
SF_EmergencyStop).● If a monitoring time violation is detected (via SF_SafeStop1), manual error acknowledge is
required to allow a reset.● The 2 channel connectors of the emergency stop are monitored. An error is detected when
both inputs do not have the same status once the discrepancy time has elapsed (viaSF_Equivalent).
● The functional stop in this example is performed as a safe stop issued from the functionalapplication. A restart interlock for this stop is not necessary.
Safety application examplesExample 1: diagnostics concept > Functional description of safety functions
2022/02/043ADR025091M0210, 14, en_US360
7.2.2 Graphical overview of safety application interface
Fig. 132: Graphical overview of the example with emergency stop
The symbol represents a direct opening action (refer to IEC 60947-5-1).
7.2.3 Declaration of used variablesTable 96: InputsName Data type DescriptionS1_S_EstopIn_1 BOOL Emergency stop channel 1
S1_S_EstopIn_2 BOOL Emergency stop channel 2
S2_ESPE_In BOOL Light curtain signal
S0_Reset BOOL Reset emergency stop and ESPE
S3_Drive_Reset BOOL Reset drive error
Table 97: OutputsName Data type DescriptionS_Stopped BOOL Indication of safe stop of drive
Errors BOOL Represents all errors of the used FB (connected to the functional appli-cation)
DiagCodes WORD Represents all diagnostic codes of the used FB (connected to the func-tional application)
Safety application examples
Example 1: diagnostics concept > Declaration of used variables
2022/02/04 3ADR025091M0210, 14, en_US 361
Table 98: Hidden interface of FB instances towards drives (vendor specific)Name DescriptionSF_SafeStop1_1 Connection to Drive 1
Table 99: Local variableName Data type DescriptionS_EStopOut BOOL Emergency stop request
InputDevice1_active BOOL Status of the relevant input device as provided by the system
InputDevice2_active BOOL Status of the relevant input device as provided by the system
7.2.4 Program example
Fig. 133: Program example - emergency stop with safe stop and equivalence monitoring
1 Two channel line monitoring. Function block SF_Equivalent produces a single BOOL signal out of the twoseparated signals from the emergency stop channels. The discrepancy time is set constantly to 10 ms.
2 Emergency stop with restart inhibit. Function block SF_EmergencyStop handles the emergency stop condition.After the emergency stop request as well as after power up the safety output is only released after manualrestart. This behavior is enabled by setting the S_StartReset and S_AutoReset inputs to FALSE.
3 ESPE: Function block SF_ESPE handles the light curtain interface. After intrusion in the protected field, as wellas after power up, the safety output is only released after manual restart. This behavior is enabled by settingthe S_StartReset and S_AutoReset inputs to FALSE.
4 Safe stop 1 request handling: Function block SF_SafeStop1 handles the safe stop 1 request for AxisID_1 andmonitors that the axis follows the request within the predefined monitoring time of 100 ms. Any error conditionwithin the axis has to be acknowledged by a manual drive reset signal.
Safety application examplesExample 1: diagnostics concept > Program example
2022/02/043ADR025091M0210, 14, en_US362
7.2.5 Additional notesThis example uses different reset signals to acknowledge the emergency stop and to acknowl-edge the monitoring violation of the drive. If the safety requirement specification of the applica-tion allows the acknowledgment of both situations with the same signaling device, the identicalsignal from the functional application may be used to reset the FB SF_EmergencyStop_1 aswell as to reset the FB SF_SafeStop1_1.
The representation of the diagnostics concept is for information only. For the safety functionality,the dedicated safety inputs and outputs shall be used.
The connection of the Ready output to an Activate input of the following FB ensures that noirrelevant diagnostic information is generated if a device is disabled. The daisy chain fromActivate and Ready avoid subsequent error messages of related function blocks.
If the target system supports an error signal, e.g., InputDevice_active, which represents thestatus (active or not active) of the relevant safety device, this signal can be used to disable thesafety function blocks. This ensures no irrelevant diagnostic information is generated if a deviceis disabled. If no such error signal is provided by the target system, a static TRUE signal mustbe assigned to the Activate input.
The Error signals and DiagCodes of each safety function block are transferred to the non-safetyapplication. Diagnosis information might be processed and displayed by an attached visualiza-tion. There are different possibilities to realize the evaluation of the diagnostic information:● Transfer these values into the visualization and realize the diagnostic evaluation in the
visualization.● Realize the diagnostic evaluation in the non-safety logic and transfer the results to the
visualization.Because of the various possibilities and the differences in the target system to realize diagnosticprocessing, there is no special example showed here. Further diagnostic processing could be:● Display of the error status for each safety function block.● Providing an error overview which is linked to function block specific error displays.● Detection and display of the last error of the used safety function blocks in the safety
application.
Function block Input Constant value DescriptionSF_Equivalent_1 S_Discrepancy-
Time10 ms Maximum monitoring time for discrepancy status of
both inputs.
SF_Emergency-Stop_1
S_StartReset FALSE Manual reset when PES is started (warm or cold).
S_AutoReset FALSE Manual reset when emergency stop button isreleased.
SF_SafeStop1_1 AxisID AxisID_1 Drive address, supplier specific value
MonitoringTime 100 ms Time until the drive shall be stopped.
SF_ESPE S_StartReset FALSE Manual reset when PES is started (warm or cold).
S_AutoReset FALSE Manual reset after safety demand condition iscleared.
Information onthe diagnosticsconcept
Daisy chainfrom Activateand Ready
Pre-evaluationof hardwareerrors
Evaluation ofthe diagnosticinformation
Information onthe used func-tion blockparameters
Safety application examples
Example 1: diagnostics concept > Additional notes
2022/02/04 3ADR025091M0210, 14, en_US 363
7.3 Example 2: mutingThis example describes the safety functions for the safeguarding of a production cell. Objectsare transferred through an entry gate, which is guarded by a light curtain. This light curtaincan be muted only for material transport into the cell. The cell may be entered by the operatorthrough a safety door. The process inside the cell is controlled by the functional application andenabled by the safety circuit. In case of a safety demand or an error, all hazardous movementsare stopped in accordance with stop category 0.
7.3.1 Functional description of safety functionsAll hazardous movements are stopped in case of:● an opening of the door.● an error (e.g., invalid muting sequence).● an interruption of the unmuted light curtain (e.g., by a person).● pushing an emergency stop button.By pushing an emergency stop button, the operator can also stop all hazardous movements instop category 0 (via SF_EmergencyStop and subsequent FBs).An infringement of the unmuted light curtain stops all hazardous movements. In this application,a light curtain type 2 is used, which requires a test by the FB SF_TestableSafetySensor.For the described muting function, four muting sensors are applied sequentially (viaSF_MutingSeq). Additionally, the muting phase is indicated by a lamp, which is monitored inthis case (also via SF_MutingSeq).An additional door for maintenance purposes is monitored by a door switch (via SF_GuardMoni-toring).By resetting buttons, the operator must acknowledge the detected demand of the safety func-tions and errors.The initial state and the operational state of the connected actuator are checked by an externaldevice monitoring. In case an error is detected, the control cannot become operational (viaSF_EDM).The process and related movements inside the production cell are controlled by the functionalapplication. Within the safety application, this control is enabled by the above-described safetycircuit (via SF_OutControl) and drives the actuator via a safety output.
Safety application examplesExample 2: muting > Functional description of safety functions
2022/02/043ADR025091M0210, 14, en_US364
7.3.2 Graphical overview of the safety application interface
Fig. 134: Graphical overview of the exemplary access protection at a material gate
7.3.3 Declaration of used variablesTable 100: InputsName Data type DescriptionS1_S_EStopIn BOOL Emergency stop button S1
S2_MutingSwitch11 BOOL Muting sensor S2
S3_MutingSwitch12 BOOL Muting sensor S3
S4_MutingSwitch21 BOOL Muting sensor S4
S5_MutingSwitch22 BOOL Muting sensor S5
S6_S_GuardSwitch BOOL Door switch S6 with two contacts
Safety application examples
Example 2: muting > Declaration of used variables
2022/02/04 3ADR025091M0210, 14, en_US 365
Name Data type DescriptionL1_S_MutingLamp BOOL Muting lamp monitor signal L1
S7_S_AOPD_In BOOL OSSD from light curtain S7
K1_S_EDM BOOL Feedback from external device K1 (actuator)
K2_S_EDM BOOL Feedback from external device K2 (actuator)
S9_Reset BOOL Reset safety demand by user S9
S0_Reset BOOL Reset error by user S0 (derived from functional application)
ApplCtrl1 BOOL Signal controlling the actuator, enabled by safety loop (derived fromfunctional application)
StartTest_LC1 BOOL Signal starting test of light curtain S7 (derived from functional applica-tion)
ApplMutingEnable1 BOOL Signal enabling start of the muting sequence (derived from functionalapplication)
Table 101: OutputsName Data type DescriptionS_EDM_Out_K BOOL Drives actuator via K1 and K2
S_MutingActive_L1 BOOL Drives muting lamp L1
S_TestOut_LightCur-tain_S8
BOOL Test output for light curtain S8
Errors BOOL Represents all errors of the used FB (connected to functional applica-tion)
DiagCodes WORD Represents all diagnostic codes of the used FB (connected to functionalapplication)
TestPossible_LC1 BOOL Indicates to the functional application that an automatic sensor test ofthe light curtain is possible.
TestExecuted_LC1 BOOL Indicates to the functional application the successful execution of anautomatic sensor test of the light curtain.
Table 102: Local variablesName Data type DescriptionS_SafeControl BOOL Indicates the status of the safety guards (TRUE = safety enabled)
Safety application examplesExample 2: muting > Declaration of used variables
2022/02/043ADR025091M0210, 14, en_US366
7.3.4 Program example
Fig. 135: Access protection at a material gate
7.3.5 Additional notesIn this example, two contacts of the guard switch are connected to a safety input device, whichrealizes the error detection. The resulting BOOL signal is mapped to the two input channels ofthe SF_GuardMonitoring_1.The diagnostic information retrieval has not been covered in this example. For this, refer toÄ Chapter 7.2.5 “Additional notes” on page 363. The input parameter Activate for the dynamicFB activation has been set to TRUE. However, in an application, this can be replaced by avariable.
Function block Input Constant value DescriptionSF_EmergencyStop_1 S_StartReset TRUE Automatic reset allowed when PES is started
S_AutoReset FALSE No automatic reset, user reset/acknowledgenecessary
Informationabout the usedfunction blockparameters
Safety application examples
Example 2: muting > Additional notes
2022/02/04 3ADR025091M0210, 14, en_US 367
Function block Input Constant value DescriptionSF_GuardMoni-toring_1
S_StartReset TRUE Automatic reset allowed when PES is started
S_AutoReset FALSE No automatic reset, user reset/acknowledgenecessary
DiscrepancyTime T#0ms The discrepancy time between both safetyinputs S_GuardSwitchX is not monitored,because they are identical and since theinput unit provides one signal of type BOOLfrom the contactors.
SF_MutingSeq_1 S_StartReset TRUE Automatic reset allowed when PES is started
MaxMutingTime T#30s The maximum muting time is monitored tobe within 30 s
SF_LightCurtain_1 S_StartReset TRUE Automatic reset allowed when PES is started
S_AutoReset FALSE No automatic reset, user reset/acknowledgenecessary
TestTime T#100ms The maximum test time is monitored to bewithin 100 ms
NoExternalTest TRUE The external manual sensor test is not sup-ported.
SF_OutControl_1 S_StartReset FALSE No automatic reset allowed when PES isstarted
S_AutoReset FALSE No automatic reset, user reset/acknowledgenecessary
StaticControl FALSE A dynamic change of the signal ApplCtrl1(rising edge) is required after block activationor a triggered safety function (S_SafeControl= FALSE).
SF_EDM_Contactor_1 S_StartReset FALSE No automatic reset allowed when PES isstarted
MonitoringTime T#30ms The maximum response time of both feed-back signals S_EDM1 and S_EDM2 aremonitored to be within 30 ms.
7.4 Example 3: two-hand controlThis example describes a machine where a two-hand control initiates the dangerous movementas long as both push buttons on the two-hand control are pressed and the process provides anenabling signal.The dangerous movement is initiated by the closing of two subsequent contactors, which aremonitored via a feedback loop.
7.4.1 Functional description of safety functionsThis example uses the following safety functions:● By pushing an emergency stop button all hazardous movements must be stopped (via
SF_EmergencyStop). Emergency stop has the highest priority. After releasing the E-Stoppush button, a reset via S0_Reset is required.
● By pressing both push buttons of the two-hand control, the safety output is activated. Therelease of any of the two-hand push buttons disables the safety output and stops thedangerous motion via the contactors K1 and K2 (via SF_TwoHandControlTypeII).
Safety application examplesExample 3: two-hand control > Functional description of safety functions
2022/02/043ADR025091M0210, 14, en_US368
● The initial state and the operational state of the connected contactors K1 and K2 aremonitored and if an error is detected, the safety output cannot become operational (viaSF_EDM).
● After power-on of the safety or functional application, or after an emergency stop condition,the two-hand control must be released and re-operated in order to activate the safety outputagain (via SF_OutControl). In order to guarantee this for the functional application restart,the process signal from the functional application is connected to the Activate input of thetwo hand control function block THC_S2_S3 (If the application process is restarted while thetwo hand control is activated, the FB goes to the state C003 signaling an error that bothbuttons are pressed at the activation, prohibiting a restart.).
In this example, only one operation mode exists.
7.4.2 Graphical overview of the safety application interfaceThe safety inputs for the two-hand control (S2_S_Switch1 and S3_S_Switch2) are connected tothe two-hand control type II.
Fig. 136: Graphical overview of the exemplary two-hand control with EDM
Safety application examples
Example 3: two-hand control > Graphical overview of the safety application interface
2022/02/04 3ADR025091M0210, 14, en_US 369
7.4.3 Declaration of used variablesTable 103: InputsName Data type DescriptionS1_S_EStopIn BOOL Emergency stop button S1
S2_S_Switch1 BOOL Switch S2 related to push button 1 of two hand control
S3_S_Switch2 BOOL Switch S3 related to push button 2 of two hand control
K1_S_EDM1 BOOL Feedback from external device K1 (actuator)
K2_S_EDM2 BOOL Feedback from external device K2 (actuator)
S0_Reset BOOL Reset by user via switch S0 (derived from the functional application)
Process BOOL Enabling motion by the process (derived from functional application)
Table 104: OutputsName Data type DescriptionS_EDM_Out_EDM_K1_K2
BOOL Drives actuator via K1 and K2
Errors BOOL Represents all errors of the used FB (connected to the functional appli-cation)
DiagCodes WORD Represents all diagnostic codes of the used FB (connected to the func-tional application)
7.4.4 Program example
Fig. 137: Application program of two-hand control with EDM
Safety application examplesExample 3: two-hand control > Program example
2022/02/043ADR025091M0210, 14, en_US370
7.4.5 Additional notesThis example can also be used with the SF_TwoHandControlTypeIII.The diagnostic information retrieval has not been covered in this example. For this, refer toÄ Chapter 7.2.5 “Additional notes” on page 363. The input Activate has been set to TRUE.However, in an application this can be replaced by a variable.
Function block Input Constant value DescriptionEStop_S1 S_StartReset FALSE No automatic reset when PES is started
S_AutoReset FALSE No automatic reset, user reset/acknowledgenecessary
OC_K1_K2 S_StartReset TRUE Automatic reset allowed when PES is started
S_AutoReset TRUE Automatic reset, no user reset/acknowledgenecessary
StaticControl FALSE A dynamic change of the signal Appl_Control(rising edge) is required after block activationor a triggered safety function (S_SafeControl= FALSE)
EDM_K1_K2 S_StartReset FALSE No automatic reset when PES is started
MonitoringTime T#200ms The maximum response time of both feed-back signals S_EDM1 and S_EDM2 is moni-tored to be within 200 ms.
Informationabout the usedfunction blockparameters
Safety application examples
Example 3: two-hand control > Additional notes
2022/02/04 3ADR025091M0210, 14, en_US 371
—8 Index1, 2, 3 ...1oo2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 12, 152 channel mode . . . . . . . . . . . . . . . . 66, 91, 113, 128
AAC500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9AC500 V2 . . . . . . . . . . . . . . . . . . . 382, 391, 392, 393AC500 V3 . . . . . . . . . . . . . . . . . . . 400, 406, 408, 409AC500-eCo . . . . . . . . . . . . . . . . . . . . . . . . . 382, 400AC500-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9AC500-S Programming Tool
9, 34, 35, 46, 135, 140, 148, 191, 192, 197, 305, 343AC500-S-XC . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 376AC500-XC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9acyclic non-safe data exchange . . . . . . . . . . 330, 332
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
AI581-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 112AOPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Automation Builder. 9, 34, 50, 73, 99, 118, 135, 136, 137, 148, 382, 400
Bbehavior of outputs in stop . . . . . . . . . . . . . . . . . . 391boot code update . . . . . . . . . . . . . . . . . . . . . . 41, 346boot project update . . . . . . . . . . . . . . . . . . . . . . . . 41bus cycle task . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Cchecklist
configuration and wiring . . . . . . . . . . . . . . . . . 346operation, maintenance and repair . . . . . . . . . 348safety application program . . . . . . . . . . . . . . . 343
compatibility mode (for data exchange) . . . . . . . . 415compatibility safety CPU and non-safety CPU
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Control Builder Plus . . . . . . . . . . . . . . . . . . . . . 9, 382CRC
9, 22, 54, 135, 138, 140, 192, 197, 323, 326,328, 343CRC calculation (user-defined) . . . . . . . . . . . . . . 309cyclic non-safe data exchange
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Ddata exchange (non-safe)
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409acyclic . . . . . . . . . . . . . . . . . . . . . . . . . . . 330, 332V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
DI581-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17, 65DPRAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 34DPRAM_SM5XX_REC . . . . . . . . . . . . . . . . . . . . . 397DPRAM_SM5XX_SEND . . . . . . . . . . . . . . . . . . . 395DX581-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17, 90
EEMC . . . . . . . . . . . . . . . . . . . 9, 52, 87, 108, 127, 377engineering suite . . . . . . . . . . . . . . . . . . . 9, 382, 400error messages
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401safety CPU . . . . . . . . . . . . . . . . . . . . . . . 384, 401safety I/O modules . . . . . . . . . . . . . . . . . 389, 404V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
error severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
FF_iPar_CRC . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 140F-Device . . . . . . . . . . . . . . . 9, 49, 140, 148, 197, 305F-Host. . . 9, 22, 46, 49, 54, 73, 99, 118, 140, 148, 192, 197
F-Parameter . . . . . . . . . . . . . . . . 9, 64, 140, 148, 343fault reaction time . . . . . . . . . . . . . . . . . . . . . . . . . 334firmware update . . . . . . . . . . . . . . . . . . . . . . . 41, 346firmware version
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
flash memory 9, 36, 38, 148, 192, 316, 323, 326, 328
GGSDML . . . . . . . . . . . . . . 9, 22, 73, 99, 118, 138, 140
IIO controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9IO device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9iParameter . . . . . . . . . . . . . . . . . . . . . . . . 9, 140, 148
Index
2022/02/043ADR025091M0210, 14, en_US372
Llibraries for AC500-S . . . 193, 197, 202, 305, 309, 316license . . . . . . . . . . . . . . . . . . . . . . . . . 135, 137, 197LSB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Mmanipulation . . . . . . . . . . . . . . . . . . 22, 255, 263, 276MSB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9MTTFd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12, 19muting
9, 255, 258, 259, 260, 263, 269, 270, 276, 279,280, 364, 365
Nnon-safety CPU settings
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . 406, 408V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391, 392
Ppassivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9password . . . . . . . . . . . . . . . . . . . . . . . 136, 138, 174PFH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 12, 19PLC browser . . . . . . . . . . . . . . . . . . . 36, 46, 148, 392PLC settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406PLC shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46, 408PM5xx AC500 V2 CPU . . . . . . . . . . . . . . . . . . . . 382PM56xx AC500 V3 CPU . . . . . . . . . . . . . . . . . . . 400power cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9prevent automatic modification of safety applica-tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415PROFINET
9, 12, 15, 22, 54, 65, 73, 90, 99, 112, 118, 138,140, 334PROFIsafe
9, 12, 15, 21, 22, 38, 43, 46, 49, 54, 66, 91, 113,138, 140, 148, 192, 197, 305, 318, 334, 343, 346, 359PROFIsafe diagnostic . . . . . . . . . . . . . . . . . 9, 54, 148programming tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 9PS501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9PTC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Qqualified personnel . . . . . . . . . . . . . . . . . . . . 9, 20, 54
Rreintegration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 54RIOforFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SSAFE STOP. . . . 24, 36, 37, 38, 43, 46, 49, 54, 85, 106, 125, 318
safety code analysis . . . . . . . . . . . . . . . . . . . . . 9, 191safety function
9, 24, 25, 197, 247, 255, 263, 276, 288, 293,298, 359, 360, 363, 367, 371safety function response time . . . . . . . . . . . . . . . . 334safety group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137SAFETY MODE . . . . . . . . . . . . . . . . . . . . . . . . . . 148Safety Parameter Tool . . . . . . . . . . . . . . . . . . . . . 135safety telegram . . . . . . . . . . . . . . . . . . . . 49, 391, 406safety variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Safety Verification Tool . . . . . . . . . . . . . . . 9, 135, 167SCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 191SD card . . . . . . . . . . . . . . . . . . . . . . . 9, 41, 148, 346severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9SF_DPRAM_PM5XX_S_REC . . . 330, 394, 410, 415SF_DPRAM_PM5XX_S_SEND . . 332, 394, 410, 415SFRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 334SM560-S . . . . . . . . . . . . . . . . . . . . . . . . . . 17, 24, 34SM560-S-FD-1 . . . . . . . . . . . . . . . . . . . . . . 17, 24, 34SM560-S-FD-4 . . . . . . . . . . . . . . . . . . . . . . 17, 24, 34Sm560Rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410Sm560Send . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410stop on error class
AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
SVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 135, 167
Ttechnical data
AC500-S-XC . . . . . . . . . . . . . . . . . . . . . . . . . . 376AI581-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126DI581-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86DX581-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107SM560-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51SM560-S-FD-1 . . . . . . . . . . . . . . . . . . . . . . . . . 51SM560-S-FD-4 . . . . . . . . . . . . . . . . . . . . . . . . . 51TU582-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
transfer data from non-safety CPU to safety CPU 330AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
transfer data from safety CPU to non-safety CPU 332AC500 V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Index
2022/02/04 3ADR025091M0210, 14, en_US 373
TU582-S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 130
UULP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 35update
boot code . . . . . . . . . . . . . . . . . . . . . . . . . 41, 346boot project . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41firmware . . . . . . . . . . . . . . . . . . . . . . . . . . 41, 346
user management . . . . . . . . . . . . . . . . . . . . . . . . 137
VV2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400verification for iParameter settings . . . . . . . . . . . . 351verification procedure . . . . . . . . . . . . . . . . . . . . . . 350
Wwarmstart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Index
2022/02/043ADR025091M0210, 14, en_US374
Appendix
Appendix
2022/02/04 3ADR025091M0210, 14, en_US 375
—A System data for AC500-S-XCA.1 Environmental conditions
Data Value UnitProcess and supply voltage (-25 %, +30 % inclusiveripple)
24 V DC
Absolute limits inclusive ripple 18 ... 31.2 V DC
Ripple < 10 %
Protection against reverse polarity yes
Allowed interruptions of DC power supply < 10 ms
Time between 2 interruptions, PS2 > 1 s
DANGER!Exceeding the permitted process or supply voltage range (< -35 V DC or >+35 V DC) could lead to unrecoverable damage of the system.
DANGER!For the supply of the modules, power supply units according to PELV or SELVspecifications must be used.
NOTICE!The creepage distances and clearances meet the requirements of the over-voltage category II, pollution degree 2.
Data Value UnitOperating temperature* -40 ... +70 °C
Operating temperature (vertical mounting of moduleoutput load limited to 50 % per group)
-40 ... +40 °C
Storage temperature -40 ... +85 °C
Transport temperature -40 ... +85 °C
* +60 ... +70 °C with the following deratings:● Terminal bases: Maximum 2 communication modules allowed.● Digital inputs: Maximum number of simultaneously switched on input channels limited to 50
% per group (e.g. 8 channels => 4 channels).● Digital outputs: Output current maximum value (all channels together) limited to 50 % per
group (e.g. 4 A => 2 A).● Analog inputs: No limitations.
Process andsupply voltages
Temperature
System data for AC500-S-XC
2022/02/043ADR025091M0210, 14, en_US376
DANGER!Safety value calculation uses the average temperature. The average tempera-ture for both the extended temperature range (-40 ... +70 °C) as well as fornormal temperature range (0 ... +60 °C) is defined to +40 °C.Ensure that average operating temperature for used AC500-S and AC500-S-XCmodules does not exceed +40 °C.
Data Value UnitRelative humidity with condensation (operating/storage) 100 %
Data Value UnitOperating air pressure 1080 ... 620 hPa
Operating altitude -1000 ... 4000 m
Reduction of operating temperature at an air pressureof < 795 hPa (or > 2000 m above sea level)
10 (e.g. +70 °C to+60 °C)
K
Data ValueOperating: according to ISA S71.04.1985 harsh group A, G3/GXIEC 60721-3-3 3C2 / 3C3
yes
Data ValueOperating: horizontal mounting only, according to IEC 60068-2-52severity level 1
yes
Data ValueRadiated emission (radio disturbance) according to CISPR 16-2-3 yes
Conducted emission (radio disturbance) according to CISPR 16-2-1,CISPR 16-1-2
yes
Electrostatic discharge (ESD) according to IEC 61000-4-2, zone B, crite-rion B
yes
Fast transient interference voltages (burst) according to IEC 61000-4-4,zone B, criterion B
yes
High energy transient interference voltages (surge) according toIEC 61000-4-5, zone B, criterion B
yes
Influence of radiated disturbances according to IEC 61000-4-3, zone B,criterion A
yes
Influence of line-conducted interferences according to IEC 61000-4-6,zone B, criterion A
yes
Influence of power frequency magnetic fields according toIEC 61000-4-8, zone B, criterion A
yes
Humidity
Air pressure
Immunity to cor-rosive gases
Immunity to saltmist
Electromagneticcompatibility
System data for AC500-S-XC
2022/02/04 3ADR025091M0210, 14, en_US 377
NOTICE!In order to prevent malfunctions, it is recommended that the operating per-sonnel discharge themselves prior to touching communication connectors orperform other suitable measures to reduce effects of electrostatic discharges.
NOTICE!Unused sockets for communication modules on terminal bases must be cov-ered with TA524 dummy communication module. I/O bus connectors must notbe touched during operation.
System data for AC500-S-XC
2022/02/043ADR025091M0210, 14, en_US378
A.2 Mechanical dataData ValueWiring method spring terminals
Degree of protection IP 20
Vibration resistance according to IEC 61131-2, IEC 60068-2-6,IEC 60068-2-64
yes
Shock resistance according to IEC 60068-2-27 yes
Horizontal assembly position yes
Vertical assembly position (no application in salt mist environment) yes
Data Value UnitDIN rail type 35 mm
DIN rail type depth 7.5 or 15 mm
Data Value UnitScrew diameter 4 mm
Fastening torque 1.2 Nm
Assembly onDIN railaccording toIEC 60715
Assembly withscrews
System data for AC500-S-XC
2022/02/04 3ADR025091M0210, 14, en_US 379
A.3 Environmental testsStorage IEC 60068-2-1 test Ab: cold withstand test -40 °C / 16 h
IEC 60068-2-2 test Bb: dry heat withstand test +85 °C / 16 h
Humidity IEC 60068-2-30 test Dd: Cyclic (12 h / 12 h) damp-heat test +55 °C, 93 %relative humidity / +25 °C, 95 % relative humidity, 6 cyclesIEC 60068-2-78, stationary humidity test: +40 °C, 93 % relative humidity,240 h
Insulation test IEC 61131-2
Vibration resist-ance
IEC 61131-2 / IEC 60068-2-6: 5 Hz ... 500 Hz, 2 g (with SD memory cardinserted in non-safety CPU)IEC 60068-2-64: 5 Hz ... 500 Hz, 4 g rms
Shock resistance IEC 60068-2-27: all 3 axes 15 g, 11 ms, half-sinusoidal
EMC immunityElectrostatic discharge (ESD)
Data Value UnitElectrostatic voltage in case of air discharge 8 kV
Electrostatic voltage in case of contact discharge 6 kV
Fast transient interference voltages (burst)
Data Value UnitSupply voltage units (DC) 4 kV
Digital inputs/outputs (24 V DC) 2 kV
Analog inputs/outputs 2 kV
Communication lines, shielded 2 kV
I/O supply (DC-out) 2 kV
High energy transient interference voltages (surge) - common mode (CM)
Data Value UnitSupply voltage units (DC) 1 kV
Digital inputs/outputs (24 V DC) 1 kV
Analog inputs/outputs 1 kV
Communication lines, shielded 1 kV
I/O supply (DC-out) 0.5 kV
High energy transient interference voltages (surge) - differential mode (DM)
Data Value UnitSupply voltage units (DC) 0.5 kV
Digital inputs/outputs (24 V DC) 0.5 kV
Analog inputs/outputs 0.5 kV
I/O supply (DC-out) 0.5 kV
Data Value UnitInfluence of radiated disturbances: test field strength 10 V/m
Influence of line-conducted interferences: test voltage 10 V
System data for AC500-S-XC
2022/02/043ADR025091M0210, 14, en_US380
Data Value UnitPower frequency magnetic fields at 30 A/m 50 and 60 Hz
NOTICE!Extreme environmental conditions and relevant requirements for used non-safety CPUs and I/O modules from AC500-XC family shall be taken intoaccount Ä [3].
System data for AC500-S-XC
2022/02/04 3ADR025091M0210, 14, en_US 381
—B Usage of safety CPU with AC500 V2 non-safety CPU PM5xxB.1 Compatibility with AC500 V2 non-safety CPU
All compatibility information is valid for normal and XC devices.
Table 105: Compatibility for safety CPU with AC500 V2 non-safety CPUSafety CPU SM560-S SM560-S-FD-1,
SM560-S-FD-4Firmware version of safety CPU Any V2.0.0 or higher
Non-safety CPU Any V2 CPU,except AC500-eCoCPUs
Any V2 CPU,except AC500-eCoCPUs
Firmware version of non-safety CPU V2.2.1 or higher V2.7 or higher
Version of engineering suite Automation Builder 1.0 or higher 2.1 or higher
Version of engineering suite Control Builder Plus V2.2.1 or higher Not compatible
Table 106: Compatibility for AC500-S with non-safety components except CPUsComponent SM560-S SM560-S-FD-1,
SM560-S-FD-4Firmware version of communicationmodule CM579-PNIO
V2.6.5.1 or higher V2.6.5.1 or higher
Firmware version of communicationmodule CM589-PNIO(-4)
Not applicable V1.6.2.20 or higher
Fimware version of communicationinterface module CI501-PNIO, CI502-PNIO, CI504-PNIO, CI506-PNIO
V3.2.0 or higher V3.2.0 or higher
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US382
B.2 Error messages with AC500 V2 non-safety CPU
NOTICE!The error messages of the safety CPU are aggregated in the diagnosis stack onnon-safety CPU.You can use diagreset, diagack all, diagack x, diagshow all anddiagshow x commands in non-safety PLC browser to list and process variouserror messages in AC500 system, including those in the safety CPU. Moredetails on these commands can be found in Ä [3].
Using CM589-PNIO or CM589-PNIO-4 IO device communication modules, one canalso generate PROFINET diagnostic messages for F-Devices of SM560-S-FD-1 andSM560-S-FD-4Ä Table 108 “Specific error messages for SM560-S-FD-1 / SM560-S-FD-4safety CPUs ” on page 387Ä Table 109 “Mapping of AC500/AC500-S errors to PROFINETchannel errors” on page 388.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 383
B.2.1 Error messages for safety CPUsThe errors are shown as they are displayed in Automation Builder.
Table 107: Common error messages for SM560-S / SM560-S-FD-1 / SM560-S-FD-4 safety CPUsErrorseverity
Compo-nent orinterface
Device Module Channel Error Error text Remedy
E2 1 ... 4 255 30 1 0 Operation fin-ished.
Change safety PLC switchaddress setting or removeSD-card from non-safetyPLC.Restart safety PLC. If thiserror persists, replace safetyPLC.
E2 1 ... 4 255 30 1 1 Wrong userdata
Delete user data from safetyPLC. Restart safety PLC andwrite user data again.
E2 1 ... 4 255 30 1 2 InternalPROFIsafe initi-alization error
Restart safety PLC. If thiserror persists, replace safetyPLC. Contact ABB technicalsupport.
E2 1 ... 4 255 30 1 12 Flash read error Restart safety PLC. If thiserror persists, replace safetyPLC. Contact ABB technicalsupport.
E2 1 ... 4 255 30 1 18 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 1 28 Boot projectdownload error
Reload boot project. If thiserror persists, replace safetyPLC.
E2 1 ... 4 255 30 1 40 Wrong firmwareversion
Update safety PLC firmware.Restart safety PLC. If thiserror persists, replace safetyPLC.
E2 1 ... 4 255 30 1 43 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 1 48 Overvoltage orundervoltagedetected
Restart safety PLC. Checksafety PLC setting for powersupply error. If this error per-sists, replace safety PLC.
E2 1 ... 4 255 30 1 52 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 0 User programtriggered safestop
Check user program
E2 1 ... 4 255 30 2 1 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 2 InternalPROFIsafe error
Restart safety PLC. If thiserror persists, replace safetyPLC. Contact ABB technicalsupport.
E2 1 ... 4 255 30 2 3 Internal error Contact ABB technical sup-port. Replace safety PLC.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US384
Errorseverity
Compo-nent orinterface
Device Module Channel Error Error text Remedy
E2 1 ... 4 255 30 2 10 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 13 Flash write error Restart safety PLC. If thiserror persists, replace safetyPLC. Contact ABB technicalsupport.
E2 1 ... 4 255 30 2 17 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 18 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 19 Checksum errorhas occurred insafety PLC.
Restart safety PLC. If thiserror persists, replace safetyPLC.
E2 1 ... 4 255 30 2 25 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 37 Cycle time errorin safety PLC
Check safety PLC watchdogtime.
E2 1 ... 4 255 30 2 38 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 42 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 43 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 52 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 2 54 Internal error Contact ABB technical sup-port. Replace safety PLC.
E2 1 ... 4 255 30 3 30 PROFIsafe con-figuration error
Check F-Parameter configu-ration of I/O module andreload boot project.
E2 9 1 ... 4 1 0 17 Access testfailed
Check safety PLC switchaddress setting. Restartsafety PLC. If this error per-sists, replace safety PLC.
E2 9 1 ... 4 1 0 43 Internal error Check safety PLC switchaddress setting. Restartsafety PLC. If this error per-sists, replace safety PLC
E2 9 1 ... 4 31 0 43 Internal error Replace module
E3 1 ... 4 255 30 1 26 Error in configu-ration data,safety PLCcannot readconfigurationdata
Create new configuration data
E3 1 ... 4 255 30 1 27 Error in configu-ration data,safety PLCcannot readconfigurationdata
Create boot project
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 385
Errorseverity
Compo-nent orinterface
Device Module Channel Error Error text Remedy
E4 1 ... 4 255 30 1 0 Operation fin-ished
Change safety PLC switchaddress setting or remove SDcard from non-safety PLC.Restart safety PLC. If thiserror persists, replace safetyPLC.
E4 1 ... 4 255 30 1 4 Boot project notloaded, max-imum power dipreached
Restart safety PLC
E4 1 ... 4 255 30 1 8 Power dip datamissed or cor-rupted. Defaultpower dip datawas flashed bysafety PLC.
Warning
E4 1 ... 4 255 30 1 19 Checksum errorhas occured insafety PLC con-figuration.
Create new boot project andrestart safety PLC
E4 1 ... 4 255 30 2 13 Flash write error(productiondata)
Warning
E4 1 ... 4 255 30 2 26 No or wrongconfigurationdata from PM5x,run state notpossible
Create correct boot project atPM5x
E4 1 ... 4 255 30 2 39 More than oneinstance ofSF_WDOG_TIME_SET orSF_MAX_POWER_DIP_SET
Warning
E4 1 ... 4 255 30 4 13 Flash write error(boot project)
Warning
E4 1 ... 4 255 30 5 13 Flash write error(boot code)
Warning
E4 1 ... 4 255 30 6 13 Flash write error(firmware)
Warning
E4 1 ... 4 255 30 7 13 Flash write error(password)
Warning
E4 1 ... 4 255 30 8 13 Flash write error(user data)
Warning
E4 1 ... 4 255 30 9 13 Flash write error(user data)
Warning
E4 1 ... 4 255 30 10 13 Flash write error(internal)
Warning
E4 1 ... 4 255 30 11 13 Flash write error(internal)
Warning
E4 1 ... 4 255 30 12 13 Flash write error(internal)
Warning
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US386
Table 108: Specific error messages for SM560-S-FD-1 / SM560-S-FD-4 safety CPUsErrorseverity
Compo-nent orinterface
Device Module Channel Error Error text Remedy
E2 1 ... 4 255 28 0 ... 31 43 InternalPROFIsafe F-Device error
Restart safety PLC. If thiserror persists, replace safetyPLC. Contact ABB technicalsupport.
E3 1 ... 4 255 28 0 ... 31 1 Safety destina-tion address notvalid(F_Dest_Add)
Check safety PLC configura-tion or switch address setting.Restart safety PLC. If thiserror persists, replace safetyPLC.
E3 1 ... 4 255 28 0 ... 31 2 Safety sourceaddress notvalid(F_Source_Add)
Check safety PLC configura-tion.
E3 1 ... 4 255 28 0 ... 31 10 Parameter"F_SIL"exceeds SILfrom specificdevice applica-tion
Check safety PLC configura-tion.
E3 1 ... 4 255 28 0 ... 31 11 Safetywatchdog timevalue is 0 ms(F_WD_Time)
Check safety PLC configura-tion.
E3 1 ... 4 255 28 0 ... 31 19 CRC1-Fault Check safety PLC configura-tion. If this error persists, con-tact ABB technical support.
E3 1 ... 4 255 28 0 ... 31 28 Mismatch ofsafety destina-tion address(F_Dest_Add)
Check safety PLC configura-tion or switch address setting.Restart safety PLC. If thiserror persists, replace safetyPLC.
E3 1 ... 4 255 28 0 ... 31 42 Parameter"F_CRC_Length" does notmatch the gen-erated values
Check safety PLC configura-tion.
E3 1 ... 4 255 28 0 ... 31 40 Version of F-Parameter setincorrect
Check safety PLC configura-tion.
E3 1 ... 4 255 30 1 17 Safety sourceaddressescannot bechecked
Check PROFIsafe F-Hostlibrary version (2.0.0 orabove). If this error persists,contact ABB technical sup-port.
E3 1 ... 4 255 30 1 54 PROFIsafeF_Dest_Addrules are vio-lated
Check safety PLC configu-ration or switch addresssetting against PROFIsafeF_Dest_Add configurationrules. Restart safety PLC. Ifthis error persists, contactABB technical support.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 387
Errorseverity
Compo-nent orinterface
Device Module Channel Error Error text Remedy
E3 1…4 255 28 0…31 26 F_Block_ID notsupported
Check safety PLC configura-tion
E3 1…4 255 28 0…31 20 Transmissionerror: datainconsistent(CRC2 error)
Check installation and wiring
E3 1…4 255 28 0…31 25 Transmissionerror: timeout(F_WD_Time orF_WD_Time_2elapsed)
Check safety PLC configura-tion
Table 109: Mapping of AC500/AC500-S errors to PROFINET channel errorsAC500/AC500-Serror
PROFINET channel errortype
PROFINET diagnostic information
28 64 Mismatch of safety destination address(F_Dest_Add)
1 65 Safety destination address not valid(F_Dest_Add)
2 66 Safety source address not valid(F_Source_Add)
11 67 Safety watchdog time value is 0 ms(F_WD_Time)
10 68 Parameter "F_SIL" exceeds SIL from spe-cific device application
42 69 Parameter "F_CRC_Length" does notmatch the generated values
40 70 Version of F-Parameter set incorrect
19 71 CRC1-Fault
26 76 F_Block_ID not supported
20 77 Transmission error: data inconsistent(CRC2 error)
25 78 Transmission error: timeout (F_WD_Timeor F_WD_Time_2 elapsed)
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US388
B.2.2 Error messages for safety I/O modulesTable 110: Error messages for safety I/O modules (channel or module reintegration is possible)Errorseverity
Compo-nent orinterface
Device Module Channel Error Error text Remedy
E3 14 1..10 0 0..15 3 Discrepancytime expired
Check discrepancy timevalue, channel wiring andsensor.
E3 14 1..10 0 0..15 12 Test pulse error Check wiring and sensor.
E3 14 1..10 0 0..15 13 Channel testpulse cross-talkerror
Check wiring and sensor. Ifthis error persists, replace I/Omodule. Contact ABB tech-nical support.
E3 14 1..10 0 0..15 25 Channel stuck-at error
Check I/O module wiring.Restart I/O module, if needed.If this error persists, replaceI/O module.
E3 14 1..10 0 0..15 28 Channel cross-talk error
Check I/O module wiring.Restart I/O module, if needed.If this error persists, replaceI/O module.
E3 14 1..10 1 0..3 4 Measurementoverflow at theI/O module
Check channel wiring andsensor power supply.
E3 14 1..10 1 0..3 7 Measurementunderflow at theI/O module
Check channel wiring andsensor power supply.
E3 14 1..10 1 0..3 55 Channel valuedifference toohigh
Adjust tolerance window forchannels. Check channelwiring and sensor configura-tion.
E3 14 1..10 2 0..7 13 Channel read-back error
Check I/O module wiring.Restart I/O module, if needed.If this error persists, replaceI/O module.
E3 14 1..10 2 0..7 18 Channel cross-talk error
Check I/O module wiring.Restart I/O module, if needed.If this error persists, replaceI/O module.
E3 14 1..10 31 31 10 Process voltagetoo high
Check process voltage
E3 14 1..10 31 31 11 Process voltagetoo low
Check process voltage
E3 14 1..10 31 31 20 PROFIsafecommunicationerror
Restart I/O module. If thiserror persists, contact ABBtechnical support.
E3 14 1..10 31 31 25 PROFIsafewatchdog timedout
Restart I/O module. Ifthis error persists, increasePROFIsafe watchdog time.
E3 14 1..10 31 31 43 Internal error inthe device
Replace I/O module
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 389
Table 111: Error messages for safety I/O modules (channel or module reintegration is not possible)Errorseverity
Compo-nent orinterface
Device Module Channel Error Error text Remedy
E3 14 1..10 31 31 18 Plausibilitycheck failed(iParameter)
Check configuration
E3 14 1..10 31 31 19 Checksum errorin the I/Omodule
Check safety configurationand CRCs for I- and F-Parameters.
E3 14 1..10 31 31 26 Parameter error Check master or configuration
E3 14 1..10 31 31 28 F-Parameterconfigurationand addressswitch value donot match.
Check I/O module F-Param-eter configuration and moduleaddress switch value.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US390
B.3 AC500 V2 non-safety CPU parameters configurationThe following parameters of non-safety CPU configuraton influence the overall system behaviorof safety and non-safety CPU.● “Behavior of outputs in stop”● “Stop on error class”● “Warmstart” after error of severity level 2The settings for these parameters do not compromise on system safety.
Value “Off in hardware and online” (default)If non-safety CPU is stopped, the application program execution on the safety CPU is stopped.Transferring safety CPU output values by non-safety CPU in safety telegrams will be stopped,too. No valid PROFIsafe safety telegrams can reach safety I/O modules and other F-Devices.They go to a passivation state after the watchdog time runs out.Value “Off in hardware and actual state online”If non-safety CPU is stopped, transferring safety CPU output values in PROFIsafe safetytelegrams will be stopped, too. The hardware status of safety CPU communication interfacebecomes "0". Online display shows the last valid values from the last safety application programcycle. As a result of stopped value transfer to the safety CPU communication interface, no validPROFIsafe safety telegrams can reach safety I/O modules and other F-Devices. They go to apassivation state after the watchdog time runs out.Value “Actual state in hardware and online”If non-safety CPU is stopped, safety CPU continues running. Safety CPU output values inPROFIsafe safety telegrams will continue to be transferred by non-safety CPU. Hardware statusof the safety CPU communication interface and online display values remain intact. Safety I/Omodules and other F-Devices can receive safety telegrams from the safety CPU. Operation ofsafety part is not influenced by the stop of non-safety CPU.
Value “E2” (default)If an error of severity level 1 or 2 occurs, non-safety CPU, all its communication modules andsafety CPU will be stopped. PROFIsafe F-Host and F-Devices stacks continue running on thesafety CPU with fail-safe values.Value “E3”If an error of severity level 1, 2 or 3 occurs, non-safety CPU, all its communication modulesand safety CPU will be stopped. PROFIsafe F-Host and F-Devices stacks continue running onsafety CPU with fail-safe values.Value “E4”If an error of severity level 1, 2, 3 or 4 occurs, non-safety CPU, all its communication modulesand safety CPU will be stopped. PROFIsafe F-Host and F-Devices stacks continue running onsafety CPU with fail-safe values.
Value “Off” (default)If an error of severity level 2 occurs, no warm restart of non-safety CPU, all its communicationmodules and safety CPU will be done.Values “On after E2 error”, “On after short voltage dip”, “On after E2 or short voltagedip”If an error of severity level 2 occurs or after short voltage dip, a warm restart of non-safety CPU,all its communication modules and safety CPU will be done. After restart of safety CPU, remotesafety I/O modules can be reintegrated, e.g., using PROFIsafe F-Device reintegration schemeÄ [2].
“Behavior ofoutputs in stop”
“Stop on errorclass”
“Warmstart”
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 391
B.4 AC500 V2 non-safety CPU PLC commandsThe following PLC browser commands (if supported by the current non-safety CPU firmware)from non-safety CPU can influence safety CPU state:● reboot
It reboots non-safety CPU and, as a result, safety CPU will be restarted as well.● resetprgorg
It restores non-safety and safety CPU original state (all variables, flash memory sections,etc. get original values). Safety CPU changes its state from RUN to SAFE STOP (non-safety).
● stopprg, resetprg, resetprgcold and menu entries “Online è Reset (cold, original)”They force the safety CPU to leave RUN (safety) mode and to switch to DEBUG STOP(non-safety) mode.
● startprgIt forces the safety CPU to leave DEBUG STOP (non-safety) mode and to switch to DEBUGRUN (non-safety) mode. If safety CPU is already in RUN (safety) mode or DEBUG RUN(non-safety) mode, this PLC browser command has no influence on the safety CPU.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US392
B.5 Data exchange between safety CPU and AC500 V2 non-safety CPUData exchange options between safety CPU and AC500 V2 non-safety CPU:● Acyclic non-safe data exchange: several safety CPU cycles needed to transfer the
data, max. 84 bytes each direction Ä Appendix B.5.1 “Acyclic non-safe data exchange”on page 394
● Cyclic non-safe data exchange: max. 3 safety CPU cycles needed to transfer the data, max.2 kB each direction Ä Appendix B.5.2 “Cyclic non-safe data exchange” on page 399
DANGER!It is not recommended to transfer data values from non-safety CPU to safetyCPU. But if doing so, end-users have to define additional process-specificvalidation procedures in the safety program to check the correctness of thetransferred non-safety data, if they would like to use those non-safety values forsafety functions.It is of no concern to transfer data values from safety CPU to non-safety CPU,e.g., for diagnosis and later visualization on operator panels.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 393
B.5.1 Acyclic non-safe data exchangeAcyclic non-safe data exchange is available per default in the programming environment, forsafety CPU and non-safety CPU.On safety CPU, use the function blocks SF_DPRAM_PM5XX_S_REC andSF_DPRAM_PM5XX_S_SEND Ä Chapter 4.6.7.13 “SF_DPRAM_PM5XX_S_REC”on page 330 Ä Chapter 4.6.7.14 “SF_DPRAM_PM5XX_S_SEND” on page 332.On non-safety CPU, use the function blocks DPRAM_SM5XX_SEND andDPRAM_SM5XX_REC Ä Appendix B.5.1.1 “ DPRAM_SM5XX_SEND” on page 395Ä Appendix B.5.1.2 “ DPRAM_SM5XX_REC” on page 397.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US394
B.5.1.1 DPRAM_SM5XX_SEND
The DPRAM_SM5XX_SEND function block sends data to the safety CPUThe DPRAM_SM5XX_SEND function block is used to send data to the safety CPU. The datato be sent are available in the memory area (DATA, memory address for data to be transmitted,provided via ADR operator). The function block is activated with a TRUE signal ("0" ➔ "1" edge)at input EN. The slot number of the safety CPU is set at input SLOT. The length of the datato be transmitted is specified in bytes at input DATA_LEN. DONE = TRUE and ERR = FALSEindicate that the sending process was successful. If an error was detected during function blockprocessing, the error is indicated at the outputs ERR and ERNO.Note: Sending data using the DPRAM_SM5XX_SEND function block is edge-triggered, i.e.each sending process is initiated by a FALSE/TRUE edge at input EN.
Table 112: FB name: DPRAM_SM5XX_SENDName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE Enabling of function block processing.
Processing of this function block is controlled byinput EN. The data transfer is initiated by a FALSE/TRUE edge. The sending of data is indicated byoutput DONE.
SLOT BYTE 16#00 Slot number (module number)Input SLOT is used to select the slot (modulenumber) the data should be sent to.The external slots are numbered consecutively fromright to left, starting with number 1.
DATA DWORD 16#00000000 Memory address for data to be transmitted, providedvia ADR operatorInput DATA is used to specify the address of the vari-able the user data are to be copied to. The addressspecified at DATA has to belong to a variable of thetype ARRAY or STRUCT.Note: Set the variable size to the maximum expectedamount of data in order to avoid overlapping ofmemory areas.
DATA_LEN WORD 16#0000 Length of data to be transmitted (in bytes) starting ataddress DATA, max. 84.The length of the data to be transmitted is specifiedin bytes at input DATA_LEN. The maximum numberis 84.
VAR_OUTPUT
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 395
Name Data type Initial value Description, parameter valuesDONE BOOL FALSE The data was sent.
Output DONE indicates that data was sent. Thisoutput always has to be considered together withoutput ERR.The following applies:● DONE = TRUE and ERR = FALSE: Sending
completed. A data set was sent correctly.● DONE = TRUE and ERR = TRUE: An error
occurred during sending. The error number isindicated at output ERNO.
ERR BOOL FALSE Error message of the function block.Output ERR indicates whether an error occurredduring sending. This output always has to be con-sidered together with output DONE. The followingapplies if an error occurred during sending: DONE =TRUE and ERR = TRUE. Output ERNO indicates theerror number.
ERNO WORD 16#0000 Error number Ä [3]
Output ERNO provides an error identifier if an invalidvalue has been applied to an input or if an erroroccurred during job processing. ERNO always hasto be considered together with the outputs DONEand ERR. The output value at ERNO is only validif DONE = TRUE and ERR = TRUE. The error mes-sages encoding at output ERNO is explained at thebeginning of the function block description.
SM5xxSend (EN := SM5xxSend_EN,SLOT := SM5xxSend_SLOT,DATA := ADR(SM5xxSend_DATA),DATA_LEN := SM5xxSend_DATA_LEN,DONE => SM5xxSend_DONE,ERR => SM5xxSend_ERR,ERNO => SM5xxSend_ERNO);
Call in ST
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US396
B.5.1.2 DPRAM_SM5XX_REC
The DPRAM_SM5XX_REC function block receives data from the safety CPUThe DPRAM_SM5XX_REC is used to receive data from the safety CPU. The data is stored inthe memory area (DATA, memory address for received data, provided via ADR operator). Thefunction block is enabled by a TRUE signal at input EN. It remains active until input EN is setto FALSE. The slot number of the safety CPU is set at input SLOT. Output DATA_LEN displaysthe length of the received data in bytes. DONE = TRUE and ERR = FALSE indicate that thereception was successful. If an error was detected during function block processing, the error isindicated at the outputs ERR and ERNO.Note: Reception using the DPRAM_SM5XX_REC function block is not edge-triggered. There-fore, input EN has to be continuously set to TRUE during data reception.
Table 113: FB name: DPRAM_SM5XX_RECName Data type Initial value Description, parameter valuesVAR_INPUTEN BOOL FALSE Enabling of function block processing.
Processing of this function block is controlled byinput EN. The function block is active if EN = TRUE.The reception of data is indicated by output DONE.
SLOT BYTE 16#00 Slot number (module number)Input SLOT is used to select the slot (modulenumber) the data should be read from.The external slots are numbered consecutively fromright to left, starting with number 1.
DATA DWORD 16#00000000 Memory address for received data, provided via ADRoperator.Input DATA is used to specify the address of the vari-able the user data are to be copied to. The addressspecified at DATA has to belong to a variable of thetype ARRAY or STRUCT.Note: Set the variable size to the maximum expectedamount of data in order to avoid overlapping ofmemory areas.
VAR_OUTPUT
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 397
Name Data type Initial value Description, parameter valuesDONE BOOL FALSE The data was received.
Output DONE indicates the reception of data. Thisoutput always has to be considered together withoutput ERR.The following applies:● DONE = TRUE and ERR = FALSE: Reception
completed. A data set was received correctly.● DONE = TRUE and ERR = TRUE: An error
occurred during reception. The error number isindicated at output ERNO.
ERR BOOL FALSE Error message of the function block.Output ERR indicates whether an error occurredduring reception. This output always has to be con-sidered together with output DONE. The followingapplies if an error occurred during the processing ofthe function block: DONE = TRUE and ERR = TRUE.Output ERNO indicates the error number.
ERNO WORD 16#0000 Error number Ä [3]
Output ERNO provides an error identifier if an invalidvalue was applied to an input or if an error occurredduring job processing. ERNO always has to be con-sidered together with the outputs DONE and ERR.The output value at ERNO is only valid if DONE= TRUE and ERR = TRUE. The error messagesencoding at output ERNO is explained at the begin-ning of the function block description.
DATA_LEN WORD 16#0000 Data length in bytesOutput DATA_LEN displays the length of thereceived data in bytes. DATA_LEN is only valid ifDONE = TRUE.
SM5xxRec (EN := SM5xxRec_EN,SLOT := SM5xxRec_SLOT,DATA := ADR(SM5xxRec_DATA),DONE => SM5xxRec_DONE,ERR => SM5xxRec_ERR,ERNO => SM5xxRec_ERNO,DATA_LEN => SM5xxRec_DATA_LEN);
Call in ST
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/043ADR025091M0210, 14, en_US398
B.5.2 Cyclic non-safe data exchangeIn Automation Builder, use the tab “Data exchange configuration” of safety CPU to configurecyclic non-safe data exchange functionality. It enables data exchange between the safetyCPU and non-safety CPU for a fast cyclic communication and big data amount transfer viaDPRAM. In most safety applications, this functionality is not needed and shall not be used.As default, checkbox “Cyclic non-safe data exchange” is unselected. If you still need it, pleaserefer to the description on how to use cyclic non-safe data exchange functionality, available viawww.abb.com/plc - document no. 3ADR025195M0202.Cyclic non-safe data exchange with AC500 V2 non-safety CPUs is supported from AutomationBuilder 1.0.1.
Usage of safety CPU with AC500 V2 non-safety CPU PM5xx
2022/02/04 3ADR025091M0210, 14, en_US 399
—C Usage of safety CPU with AC500 V3 non-safety CPU
PM56xxC.1 Compatibility with AC500 V3 non-safety CPUs
All compatibility information is valid for normal and XC devices.
Table 114: Compatibility for safety CPU with AC500 V3 non-safety CPUSafety CPU SM560-S SM560-S-FD-1,
SM560-S-FD-4Firmware version of safety CPU Any Any
Non-safety CPU Any V3 CPU, except AC500-eCo CPUs
Under preparationFirmware version of non-safety CPU V3.3.0 or higher
Version of engineering suiteAutomation Builder
2.3.0 or higher
Table 115: Compatibility for AC500-S with non-safety components except CPUsComponent SM560-S SM560-S-FD-1,
SM560-S-FD-4Firmware version of communicationmodule CM579-PNIO
V2.8.6.21 or higher V2.8.6.21 or higher
Firmware version of communicationmodule CM589-PNIO(-4)
Not applicable Under preparation
Fimware version of communicationinterface module CI501-PNIO, CI502-PNIO, CI504-PNIO, CI506-PNIO
V3.2.0 or higher V3.2.0 or higher
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US400
C.2 Error messages with AC500 V3 non-safety CPUsC.2.1 Error messages for safety CPUs
The errors are shown as they are displayed in Automation Builder. In AC500-S ProgrammingTool, errors are displayed similar to error messages of AC500 V2 non-safety CPUs.
Table 116: Error messages for safety CPUSeverity Error code Description Remedy2 8235 Internal error Replace module
2 8448 Operation finished Change Safety PLC switchaddress setting or remove SD-Card from non-safety PLC.Restart Safety PLC. If this errorpersists, replace Safety PLC.
2 8449 Wrong user data Delete user data from SafetyPLC. Restart Safety PLC andwrite user data again.
2 8450 Internal PROFIsafe initiali-zation error
Restart Safety PLC. If this errorpersists, replace Safety PLC.Contact ABB technical support.
2 8460 Flash read error Restart Safety PLC. If this errorpersists, replace Safety PLC.Contact ABB technical support.
2 8466 Internal error Contact ABB technical support.Replace Safety PLC.
2 8476 Boot project downloaderror
Reload boot project. If this errorpersists, replace Safety PLC.
2 8488 Wrong firmware version Update Safety PLC firmware.Restart Safety PLC. If this errorpersists, replace Safety PLC.
2 8491 Internal error Contact ABB technical support.Replace Safety PLC.
2 8496 Overvoltage or under-voltage detected
Restart Safety PLC. CheckSafety PLC setting for powersupply error. If this error per-sists, replace Safety PLC.
2 8500 Internal error Contact ABB technical support.Replace Safety PLC.
2 8704 User program triggeredsafe stop
Check user program
2 8705 Internal error Contact ABB technical support.Replace Safety PLC.
2 8706 Internal PROFIsafe error Restart Safety PLC. If this errorpersists, replace Safety PLC.Contact ABB technical support.
2 8707 Internal error Contact ABB technical support.Replace Safety PLC.
2 8714 Internal error Contact ABB technical support.Replace Safety PLC.
2 8717 Flash write error Restart Safety PLC. If this errorpersists, replace Safety PLC.Contact ABB technical support.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 401
Severity Error code Description Remedy2 8721 Internal error Contact ABB technical support.
Replace Safety PLC.
2 8722 Internal error Contact ABB technical support.Replace Safety PLC.
2 8723 Checksum error hasoccured in Safety PLC
Restart Safety PLC. If this errorpersists, replace Safety PLC.
2 8729 Internal error Contact ABB technical support.Replace Safety PLC.
2 8741 Cycle time error in SafetyPLC
Check Safety PLC watchdogtime.
2 8742 Internal error Contact ABB technical support.Replace Safety PLC.
2 8746 Internal error Contact ABB technical support.Replace Safety PLC.
2 8747 Internal error Contact ABB technical support.Replace Safety PLC.
2 8756 Internal error Contact ABB technical support.Replace Safety PLC.
2 8758 Internal error Contact ABB technical support.Replace Safety PLC.
2 8990 PROFIsafe configurationerror
Check F-Parameter configura-tion of I/O module and reloadboot project
3 12561 Safety source addressescannot be checked
Check PROFIsafe F-Hostlibrary version (2.0.0 or above).If this error persists, contactABB technical support.
3 12570 Error in configurationdata, safety PLC hasnot accepted configura-tion data, e.g., mismatchbetween safety and non-safety PLC configuration.
Create new configuration datafor both safety and non-safetyPLC again, re-create and down-load boot projects to both safetyand non-safety PLC again.
3 12571 Error in configuration data,Safety PLC cannot readconfiguration data
Create boot project
3 12598 PROFIsafe F_Dest_Addrules are violated
Check Safety PLC configu-ration or switch addresssetting against PROFIsafeF_Dest_Add configurationrules. Restart Safety PLC. Ifthis error persists, contact ABBtechnical support.
3 32770 Watchdog error coupler
3 32771 Wrong firmware version ofCommunication Module
Update firmware
3 32772 Initialisation of SafetyModule on slot failed.More than one SafetyModule plugged
Remove this module or Onlythat one Safety Module plugged-> defective, replace thismodule
3 32774 Invalid configuration data Check configuration
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US402
Severity Error code Description Remedy3 32775 Safety Module not found Check configuration. At Safety
PLC: Check Safety PLC switchaddress setting. Restart SafetyPLC. If this error persists,replace Safety PLC.
3 32776 Safety Module has wrongtype
Check configuration
4 16640 Reserved switch addresssetting.
Warning
4 16644 Boot project not loaded,maximum power dipreached
Restart Safety PLC
4 16648 Power dip data missed orcorrupted. Default powerdip data was flashed bySafety PLC
Warning
4 16659 CRC error boot project Create new boot project andrestart Safety PLC
4 16909 Flash write error (produc-tion data)
Warning
4 16935 More than one instance ofSF_WDOG_TIME_SET orSF_MAX_POWER_DIP_SET
Warning
4 16922 No or wrong configurationdata from PM5x, run statenot possible
Create correct boot project atPM5x
4 17421 Flash write error (bootproject)
Warning
4 17677 Flash write error (bootcode)
Warning
4 17933 Flash write error (firm-ware)
Warning
4 18189 Flash write error (pass-word)
Warning
4 18445 Flash write error (userdata)
Warning
4 18701 Flash write error (userdata)
Warning
4 18957 Flash write error (internal) Warning
4 19213 Flash write error (internal) Warning
4 19469 Flash write error (internal) Warning
4 32777 Program not startedbecause of configurationerror
Check configuration
4 32778 Program not started, noapplication running inSafety Module
Check configuration, downloadsafety application to SafetyModule
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 403
C.2.2 Error messages for safety I/O modulesTable 117: Error messages for safety I/O modules (channel or module reintegration is possible)Severity Error code Description Remedy3 3 Discrepancy time expired Check discrepancy time value,
channel wiring and sensor.
3 12 Test pulse error Check wiring and sensor.
3 13 Channel test pulse cross-talk error
Check wiring and sensor. Ifthis error persists, replace I/Omodule. Contact ABB technicalsupport.
3 25 Channel stuck-at error Check I/O module wiring.Restart I/O module, if needed.If this error persists, replace I/Omodule.
3 28 Channel cross-talk error Check I/O module wiring.Restart I/O module, if needed.If this error persists, replace I/Omodule.
3 260 Measurement overflow atthe I/O module
Check channel wiring andsensor power supply.
3 263 Measurement underflow atthe I/O module
Check channel wiring andsensor power supply.
3 311 Channel value differencetoo high
Adjust tolerance window forchannels. Check channel wiringand sensor configuration.
3 525 Channel readback error Check I/O module wiring.Restart I/O module, if needed.If this error persists, replace I/Omodule.
3 530 Channel cross-talk error Check I/O module wiring.Restart I/O module, if needed.If this error persists, replace I/Omodule.
3 16138 Process voltage too high Check process voltage
3 16139 Process voltage too low Check process voltage
3 16148 PROFIsafe communica-tion error
Restart I/O module. If this errorpersists, contact ABB technicalsupport.
3 16153 PROFIsafe watchdogtimed out.
Restart I/O module. If this errorpersists, increase PROFIsafewatchdog time.
3 16171 Internal error in the device Replace I/O module
Table 118: Error messages for safety I/O modules (channel or module reintegration ist notpossible)Severity Error code Description Remedy3 16146 Plausibility check failed
(iParameter)Check configuration
3 16147 Checksum error in the I/Omodule
Check safety configuration andCRCs for I- and F-Parameters.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US404
Severity Error code Description Remedy3 16154 Parameter value Check master or configuration
3 16156 F-Parameter configurationand address switch valuedo not match.
Check I/O module F-Param-eter configuration and moduleaddress switch value.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 405
C.3 AC500 V3 non-safety CPU parameters configurationIf non-safety CPU is stopped, the safety CPU will go to DEBUG STOP (non-safety) state(Fig. 12 on page 46) and safety I/O modules will immediately switch to RUN (module passiva-tion with a command) state (Fig. 15 on page 55).Later, if the safety CPU changes to DEBUG RUN (non-safety) state, e.g., after switching non-safety CPU back to RUN state, the safety I/O modules will immediately change to RUN (ok)state (Fig. 15 on page 55) and deliver valid process values to the safety CPU without the needfor reintegration.
NOTICE!The described behavior with AC500 V3 non-safety CPUs is different to thebehavior with AC500 V2 non-safety CPUs. If you are familiar with AC500 V2non-safety CPUs, you need to know the following differences:If AC500 V2 non-safety CPU is stopped, the safety CPU will go to DEBUGSTOP (non-safety) state and safety I/O modules will go to RUN (modulepassivation) state (Fig. 15 on page 55).If the safety CPU changes to DEBUG RUN (non-safety) state, the safety I/Oshave to be reintegrated first by going through the RUN (user acknowledge-ment request) state (Fig. 15 on page 55) and only then deliver current validprocess outputs to the safety CPU.
The following settings of AC500 non-safety module configuraton influence the overall systembehavior of safety and non-safety CPUs.Settings for non-safety CPU in Automation Builder:● Tab “PLC Settings”
– “Bus cycle task”● Tab “CPU-Parameters Parameters”
– “Stop on error class”● Tab “I/O-Bus I/O Mapping”
– “Bus cycle task”
Settings for communication module in Automation Builder:● Tab “PROFINET-IO-Controller I/O Mapping” / “PROFINET-IO-Device I/O Mapping”
– “Bus cycle task”
The settings for these parameters do not compromise on system safety.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US406
We strongly recommend to read the AC500 user documentation Ä [3] on this topic to get anunderstanding of parameter “Bus cycle task” for the above listed settings and dependencies onother parameters.The settings have to be considered carefully. On the one hand, to avoid any overload scenarioson the non-safety CPU. On the other hand, not to exceed the SFRT.1. Set a global bus cycle time in tab “PLC Settings” by assigning “Bus cycle task” with a task.2. Keep the default values for the bus cycle task for I/O bus and communication modules.
With these settings, both bus cycle times for I/O bus and communication modules are drivenfrom the non-safety CPU with the cycle time of the assigned task (in tab “PLC Settings”).
NOTICE!The value of safety CPU parameter “Update cycle time” is the limitating buscycle time for I/O bus and communication modules. If higher values for the buscycle tasks are assigned for I/O bus and communication module, they will belimited to the lower value of “Update cycle time”. If lower values for the buscycle tasks are assigned for I/O bus and communication module, they will bekept as they are.
NOTICE!The cycle times for I/O bus and communication modules affect the SFRT ofyour system Ä Chapter 5.3 “Safety function response time” on page 334.
Parameter in tab “CPU-Parameters Parameters” of non-safety CPU.Value “Diagnosis of at least error class 2” (default)If an error of severity level 1 or 2 occurs, non-safety CPU and safety CPU will be stopped. Ifpresent on the given safety CPU, PROFIsafe F-Host and F-Device stacks continue running onthe safety CPU with fail-safe values.Value “Diagnosis of at least error class 3”If an error of severity level 1, 2 or 3 occurs, non-safety CPU and safety CPU will be stopped. Ifpresent on the given safety CPU, PROFIsafe F-Host and F-Device stacks continue running onsafety CPU with fail-safe values.Value “Diagnosis of at least error class 4”If an error of severity level 1, 2, 3 or 4 occurs, non-safety CPU and safety CPU will be stopped.If present on the given safety CPU, PROFIsafe F-Host and F-Device stacks continue running onsafety CPU with fail-safe values.
“Bus cycletask”
One easy possi-bility to set upthe bus cycle
“Stop on errorclass”
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 407
C.4 AC500 V3 non-safety CPU PLC commandsThe following PLC shell commands (if supported by the current non-safety CPU firmware) fromnon-safety CPU can influence safety CPU state:● reboot
It reboots non-safety CPU and, as a result, safety CPU will be restarted as well.● stopprg, resetprg, resetprgcold
They force the safety CPU to leave RUN (safety) mode and to switch to DEBUG STOP(non-safety) mode.
● startprgIt forces the safety CPU to leave DEBUG STOP (non-safety) mode and to switch to DEBUGRUN (non-safety) mode. If safety CPU is already in RUN (safety) mode or DEBUG RUN(non-safety) mode, this PLC shell command has no influence on the safety CPU.
NOTICE!The error messages of the safety CPU are aggregated in the diagnosis systemon non-safety CPU. For handling and usage of the diagnosis features of thenon-safety CPU, refer to Ä [3].
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US408
C.5 Data exchange between safety CPU and AC500 V3 non-safety CPUData exchange options between safety CPU and AC500 V3 non-safety CPU:● Acyclic non-safe data exchange: several safety CPU cycles needed to transfer the
data, max. 84 bytes each direction Ä Appendix C.5.1 “Acyclic non-safe data exchange”on page 410
● Cyclic non-safe data exchange: max. 3 safety CPU cycles needed to transfer the data, max.2 kB each direction Ä Appendix C.5.2 “Cyclic non-safe data exchange” on page 411
DANGER!It is not recommended to transfer data values from non-safety CPU to safetyCPU. But if doing so, end-users have to define additional process-specificvalidation procedures in the safety program to check the correctness of thetransferred non-safety data, if they would like to use those non-safety values forsafety functions.It is of no concern to transfer data values from safety CPU to non-safety CPU,e.g., for diagnosis and later visualization on operator panels.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 409
C.5.1 Acyclic non-safe data exchangeOn safety CPU, use the function blocks SF_DPRAM_PM5XX_S_REC andSF_DPRAM_PM5XX_S_SEND Ä Chapter 4.6.7.13 “SF_DPRAM_PM5XX_S_REC”on page 330. Ä Chapter 4.6.7.14 “SF_DPRAM_PM5XX_S_SEND” on page 332
On non-safety CPU, use the function blocks Sm560Send and Sm560Rec. The function blocksare included in library SM560Safety. In Automation Builder, refer to Library Manager to get adetailed description.
NOTICE!Transferred data is swappedThe data exchange is taken byte-by-byte which leads to a data byte swap in thetarget system for all data types larger than 1 byte.This is due to the different endian systems in safety CPU and non-safety CPU.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US410
C.5.2 Cyclic non-safe data exchange
DANGER!If cyclic non-safe data exchange is used to receive or send safety data from orto safety CPU, then SIL 3 (IEC 61508 and IEC 62061) and PL e (ISO 13849-1)functional safety requirements will not be fulfilled for received and sent data(independently on application safety communication profile used), because onlyone microprocessor (no 1oo2 safety architecture in the background) on safetyCPU handles the sending and receiving direction.Contact ABB technical support on how to reach SIL 3 and PL e.
DANGER!It must be guaranteed by proper Automation Builder user management config-uration that only users of the safety group are allowed to implement cyclicnon-safe data exchange.
1. Right-click on the safety CPU node and select “Add object”.2. Select “Cyclic non-safe data exchange”.
ð Cyclic non-safe data exchange instance is added to the safety CPU node.
How to usecyclic non-safedata exchange
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 411
3. Double-click on the “Cyclic non-safe data exchange” instance.
ð A warning is displayed that safety requirements are not fulfilled when using the cyclicnon-safe data exchange.
4. Carefully read the warning and confirm it.Without confirming, you are not able to define variables and therefore not able to use thedata exchange.
5. For details on checkbox “Prevent automatic modification of safety application” referto Ä Appendix C.5.2.1 “Migration from AC500 V2 to AC500 V3 (compatibility mode)”on page 415.
6. Define variables in the tables. Refer to the detailed description for defining variablesÄ “Define variables” on page 413.Table “From safety CPU”: Variables which shall be written by the safety CPU and read bythe non-safety CPU.Table “To safety CPU”: Variables which shall be written by the non-safety CPU and readby the safety CPU.
7. Build or rebuild the non-safety application in Automation Builder. Do this after each modifi-cation for cyclic non-safe data exchange, e.g., new variables added or existing variablesupdated.
ð The variables are created and can be used in non-safety application.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US412
8. Right-click on the safety application node (“AC500_S”) and select “Create SafetyConfiguration Data”. Do this after each modification for cyclic non-safe data exchange,e.g., new variables added or existing variables updated.
ð The variables are created and can be used in AC500-S Programming Tool.
Variable (CPU) Variable name for non-safety applicationType Variable type both for non-safety and safety applicationDescription (CPU) Variable description for non-safety applicationVariable (safety CPU) Variable name for safety applicationDescription (safety CPU) Variable description for safety application
Add a variable for non-safety application in the last empty row.
ð The corresponding variable name and description for safety CPU will be added auto-matically. If required, you can adapt them independently from the non-safety variablename and description.To synchronize them again, manually change those entries which shall be the sameso that variable names are written in the same way. The automatic synchronization isactive again.
Supported data types:● Standard data types like BYTE, WORD, INT● Array data types
Define variables
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 413
● Data unit types (DUTs)DUT objects are automatically created in AC500-S Programming Tool during “Create SafetyConfiguration Data”.
● A mixture of the aboveSupported features for adding variables:● Cut, copy, paste, delete and insert of variables via context menu and standard windows
shortcuts.● Bulk data modification, e.g., copy and paste variables from and to .csv file.● Filters for each column.● Undo and redo of changes.● “Input Assistant” for variable name and type Ä [3].
NOTICE!Since the variable names are generated for both safety and non-safety applica-tion, it is recommended to use variable names that clearly describe the trans-mission direction, e.g., "PMtoSM" and "SMtoPM" or "toSM" and "fromSM".
DANGER!To satisfy the the safety programming guidelines Ä Chapter 4.4 “Safety pro-gramming guidelines” on page 182, you must follow these rules:– Use the prefixes "I_" (non-safety inputs for the safety CPU) and "O_" (non-
safety outputs from the safety CPU) for the variable names of the safetyCPU. The cyclic non-safe data exchange is non-safe. Therefore, do not useany safety prefixes Ä Chapter 4.5 “Safety code analysis tool” on page 191.
– Add a description for each variable with at least 10 characters.
NOTICE!If you use cyclic non-safe data exchange, changes in non-safety programmingenvironment could lead to new boot project CRC.
NOTICE!Cyclic non-safe data exchange shares the memory with the PROFIsafe processdata (e.g., safety inputs and outputs) of the configured safety I/O devices, and islimited to 2048 bytes for each direction.Automation Builder does not check the size when defining the variables, butduring “Create Safety Configuration Data”.
NOTICE!Using cyclic non-safe data exchange influences the cycle time of non-safetyCPU. E.g., data exchange with granular variables can generate a significantload on non-safety CPU.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US414
C.5.2.1 Migration from AC500 V2 to AC500 V3 (compatibility mode)You can migrate an existing Automation Builder project with AC500 V2 non-safety CPUs andsafety CPUs with cyclic non-safe data exchange to a project with AC500 V3 non-safety CPUs.If you do not want to change the safety application, enable the checkbox “Prevent automaticmodification of safety application”. When the checkbox is enabled, no variable assignmentsbetween safety and non-safety CPU are done.In AC500-S Programming Tool, no folder “CyclicNonSafeDataExchange” and no correspondingglobal variables are generated. The safety application remains unchanged. On safety CPU,data exchange with non-safety CPU is done with specific function blocks. Refer to the corre-sponding description, available via www.abb.com/plc - document no. 3ADR025195M0202.On non-safety CPU, data exchange with safety CPU is done via the variables defined in tables“From safety CPU” and “To safety CPU”.
NOTICE!If you use the compatibility mode Ä Appendix C.5.2.1 “Migration from AC500V2 to AC500 V3 (compatibility mode)” on page 415, use the checklist for cyclicnon-safe data exchange with AC500 V2 Ä Appendix B.5.2 “Cyclic non-safedata exchange” on page 399.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 415
C.5.2.2 Troubleshooting
NOTICE!If you use the compatibility mode Ä Appendix C.5.2.1 “Migration from AC500V2 to AC500 V3 (compatibility mode)” on page 415, refer also to the trouble-shooting for cyclic non-safe data exchange with AC500 V2 Ä Appendix B.5.2“Cyclic non-safe data exchange” on page 399.
ID Behavior Potential cause Remedy1. Cyclic non-safe variables
not updated in safetyand/or non-safety CPU.
Configuration has not beenupdated.
Clean and build/rebuild non-safety CPU application.Create safety configurationdata. Check for error mes-sages. Login to non-safetyand safety CPU and down-load the applications. Createnew boot projects for safetyCPU and non-safety CPU.
2. Safety CPU cycle time toohigh for the given applica-tion.
Amount of cyclic non-safedata is too big.
Check if configured variablesare really necessary for theparticular use case. Reducethe number of variables toincrease the performance.
3. Variable can’t be used inapplication because it isnot defined or variable isnot listed in "Input Assis-tant".
Configuration has not beenupdated.
Clean and build/rebuild non-safety CPU application.Create safety configurationdata. Check for error mes-sages.
4. The used size of a variableis bigger than expected.
In some cases, one or morepadding bytes are requiredto fulfill the data alignment.This is done automatically inAutomation Builder.
Reorganize the variables inthe used DUTs. Try to usethe biggest data type at first.Bad example:● VAR0 : BYTE● VAR1 : DWORD● VAR2 : BYTE● VAR3 : WORDGood example:● VAR1 : DWORD● VAR3 : WORD● VAR0 : BYTE● VAR2 : BYTE
5. Build errors. Inconsistent internal data. Clean the non-safety appli-cation and build it again.
6. Variable in the table is notadded.
Missing or wrong values forthe variable definition.
Enter at least variable name“Variable (CPU)” and type.These values are manda-tory.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/043ADR025091M0210, 14, en_US416
ID Behavior Potential cause Remedy7. Error message "...no valid
assignment target"Variable is defined in thewrong table.
Take care that the variablesdefined in the table “Fromsafety CPU” are written bythe safety CPU and can onlybe read by the non-safetyCPU.Variables defined in the table“To safety CPU” are writtenby the non-safety CPU andcan only be read by thesafety CPU.
8. Error message aboutmemory overflow.
Cyclic non-safe dataexchange shares thememory with the PROFIsafeprocess data (e.g., safetyinputs and outputs) ofthe configured safety I/Omodules and is limited to2048 bytes in total for eachdirection. The AutomationBuilder does not check thesize when defining the var-iables, but during “CreateSafety Configuration Data”.
Reduce the size for cyclicnon-safe data exchangeand perform “Create SafetyConfiguration Data” again.
If a problem persists, contact ABB technical support.
Usage of safety CPU with AC500 V3 non-safety CPU PM56xx
2022/02/04 3ADR025091M0210, 14, en_US 417
—D Release information
Every released safety CPU firmware is backwards compatible with any former released firm-ware. No changes in the existing safety projects are necessary (existing boot projects can bemaintained).If you want to use new functionalities of the latest safety CPU firmware, it is required to use themost recent released Automation Builder version. This ensures to work with the latest releasedsafety libraries.
Release information
2022/02/043ADR025091M0210, 14, en_US418
D.1 Compatibility with PROFIsafe profilesTable 119: Compatibility of safety applications with PROFIsafe profile F-HostPROFIsafe pro-file
AutomationBuilder
Library Safety-Base_PROFIsafe
Firmware ver-sion of safetyCPU
Safety CPU
F-Host V2.4 V1.0.0 or higher V1.0.1 or higher V1.0.0 or higher SM560-S,SM560-S-FD-1,SM560-S-FD-4
F-Host V2.6 V2.5.0 or higher V2.1.0 or higher V2.2.0 or higher SM560-S,SM560-S-FD-1,SM560-S-FD-4
Table 120: Compatibility of safety applications with PROFIsafe profile F-DevicePROFIsafeprofile
AutomationBuilder
Library Safe-tyDeviceExt
Library Safe-tyBase_PROFIsafe
Firmwareversion ofsafety CPU
Safety CPU
F-Device V2.4 V2.1.0 orhigher
V1.0.0 orhigher
V2.0.0 orhigher
V2.0.0 orhigher
SM560-S-FD-1, SM560-S-FD-4
F-Device V2.6 V2.5.0 orhigher
V1.0.0 orhigher
V2.0.0 orhigher
V2.2.0 orhigher
SM560-S-FD-1, SM560-S-FD-4
Release information
2022/02/04 3ADR025091M0210, 14, en_US 419
D.2 Version history of safety CPU firmwareTable 121: Version history of safety CPU firmwareFirmware ver-sion of safetyCPU
Description of version / changes Release date
V2.2.0 Extensions PROFIsafe V2.6 compliance:Support of F-Devices with PROFIsafe V2.6 complianceFD variants: 2 new F-Submodules added withPROFIsafe V2.6 compliance: 12 bytes safety processdata, 123 bytes safety process dataNew safety functions added offering SIL3 complianttransmission of safety related data via acyclic/cyclicnon-safe data exchange mechanism (SF_CRC_INIT,SF_CRC_INPUT, SF_CRC_FINISH).Preconditions (available with Automation Builder V2.3.0or newer):Use of new safety library Safety-Base_PROFIsafe_LV210_AC500_V22.libUse of new safety library Safe-tyExt2_LV110_AC500_V27.lib
2021
V2.1.0 Maintenance update, no functional changes 2019
V2.0.0 Introduction of two new safety CPU variants offeringF-Device functionality:New variants SM560-S-FD-1 and SM560-S-FD-4 sup-ported with F-Device functionalityAdditional safety functions added(SF_SAFE_STOP, SF_BOOTPROJECT_CRC,SF_MAX_POWER_DIP_GET_CFG).Preconditions (available with Automation Builder V2.1.0or newer):Use of new safety library Safety-Base_PROFIsafe_LV200_AC500_V22.libUse of new safety library SafetyDevi-ceExt_LV100_PROFIsafe_AC500_V27.libSupport of new safety library Safe-tyExt2_LV100_AC500_V27.lib
2018
V1.0.0 Initial release version for SM560-S 2012
Release information
2022/02/043ADR025091M0210, 14, en_US420
D.3 Version history of safety librariesOld versions of libraries are not for use in new AC500-S application projects Ä Chapter 4.6.1“Overview” on page 192.Libraries which are only for internal use are not listed in version history.
Table 122: Version history of library SafetyBase_PROFIsafeVersion ofsafety library
Description of version / changes Preconditions Release date
V2.1.0 Safety-Base_PROFIsafe_LV210_AC500_V22.lib● Extensions for PROFIsafe V2.6
compliance● Configurable startup timeout for
PROFIsafe communcation● Support of 32-bit data types for
F-Device process signals
AutomationBuilder 2.5.0 withsafety CPU firm-ware V2.2.0
2021
V2.0.0 Safety-Base_PROFIsafe_LV200_AC500_V22.lib● Extension for F-Device V2.4 sup-
port in new variants SM560-S-FD-1/SM560-S-FD-4)
● Library CRC: 1d881052
AutomationBuilder 2.1.0 withsafety CPU firm-ware V2.0.0
2018
V1.0.1 Safety-Base_PROFIsafe_AC500_V22_Ext.lib● Maintenance update (CRC cal-
culation fix for 0-telegrams)● Library CRC: f34d9a48
AutomationBuilder 1.0.0 withsafety CPU firm-ware V1.0.0
2017
V1.0.0 Safety-Base_PROFIsafe_AC500_V22.lib● Initial release version (F-Host
support for PROFIsafe V2.4 F-Devices)
AutomationBuilder 1.0.0 withsafety CPU firm-ware V1.0.0
2012
Table 123: Version history of library SafetyBlocks_PLCopenVersion ofsafety library
Description of version / changes Preconditions Release date
V1.0.0 Safety-Blocks_PLCopen_AC500_V22.lib● Initial release version
AutomationBuilder 1.0.0 withsafety CPU firm-ware V1.0.0
2012
Release information
2022/02/04 3ADR025091M0210, 14, en_US 421
Table 124: Version history of library SafetyDeviceExtVersion ofsafety library
Description of version / changes Preconditions Release date
V1.0.0 SafetyDevi-ceExt_LV100_PROFIsafe_AC500_V27.lib● Initial release version (F-Device
support in new variants SM560-S-FD-1/ SM560-S-FD-4)
AutomationBuilder 2.1.0 withsafety CPU firm-ware V2.0.0
2018
Table 125: Version history of library SafetyExt2Version ofsafety library
Description of version / changes Preconditions Release date
V1.1.0 SafetyExt2_LV110_AC500_V27.lib● Additional FBs
added (SF_CRC_INIT,SF_CRC_INPUT,SF_CRC_FINISH)
AutomationBuilder 2.3.0 withsafety CPU firm-ware V2.2.0
2021
V1.0.0 SafetyExt2_LV100_AC500_V27.lib● Initial release version● Library CRC: f3eb2fbc
AutomationBuilder 2.1.0 withsafety CPU firm-ware V2.0.0
2018
Table 126: Version history of library SafetyExtVersion ofsafety library
Description of version / changes Preconditions Release date
V1.0.0 SafetyExt_AC500_V22.lib● Initial release version
AutomationBuilder 1.0.0 withsafety CPU firm-ware V1.0.0
2012
Release information
2022/02/043ADR025091M0210, 14, en_US422
3AD
R02
5091
M02
10, 1
4, e
n_U
S
—© Copyright 2012-2022 ABB.
—ABB AGEppelheimer Str. 8269123 Heidelberg, GermanyTelephone: +49 (0)6221 701 1444Fax: +49 (0)6221 701 1382E-mail: [email protected]/plc
We reserve all rights in this document and in the information contained therein. Reproduction, use or disclosure to third parties without expressauthority is strictly forbidden.
Related Documents
